Math.random() is a PRNG, not a CSPRNG. An attacker who observes a few outputs can predict every future call. I found this exact pattern generating API keys in a 44K-star open-source codebase. Here is why it matters and the ESLint rule that catches it in 3 seconds.
I found this in our benchmark corpus, extracted verbatim from Cal.com's Make integration setup (~44K GitHub stars):
const apiKey = `cal_live_${Math.random().toString(36).substring(2)}`;
Enter fullscreen mode
Exit fullscreen mode
An attacker who observes a handful of these keys can predict the next one. That is not a theoretical risk — it is a consequence of how Math.random() works. And this pattern is everywhere.
Certifiably random: Swiss researchers claim perfect random number source
Physicists Just Achieved 'Perfect Randomness' For The First Time Ever
A quantum computing system's perfect randomness could keep your secrets safe
Perfect random numbers generated for 1st time: Why it matters
Experimental randomness amplification - Nature
Google Deepmind's AlphaProof Nexus solves decades-old math problems for a few hundred dollars
Why Math.random() Is Unsafe for Passwords — and How to Use crypto.getRandomValues...
We're getting new functions for generating random numbers in CSS! But the road to get here has been a long and winding one.
The randomness in quantum physics is imperfect and needs amplification to be considered truly random, the researchers say.
You've locked down your AWS credentials. You've got secret scanning on your repos. You rotate your...
Why hand-author anything? The obvious approach for seeding an adaptive math tutor is to...
A new study reveals how AI coding assistants like Claude Code are quietly hoarding and publishing sensitive API keys to code…
