But there’s also another way that developers package APIs into the front end – sometimes they will “hard code the APIs directly into the front end JavaScript” he added: “This is much more difficult to scrape than the other method… I think it unlikely that these TAs went spelunking this hard into the console internals. Most likely they intercepted their own requests using Burp, looked at them, and used that to programmatically sign their own requests using SigV4. Threat Actors are looking for APIs buried deep in the console and they will try to take advantage of them.”