Skip to content

Clojars Deploy Token

Service Name: Clojars

Service Description: Clojars is a community repository for open source Clojure libraries. It's similar to Maven Central but focused on Clojure libraries and applications.

Service Address: https://clojars.org/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants the ability to deploy (publish) Clojure libraries to the Clojars repository. A deploy token provides write access to publish packages under a specific user account or organization.

Secret Revokement URL: https://clojars.org/tokens

Secret Example: CLOJARS_a1b2c3d4e5f6g7h8i9j0

Suspicious Activity Investigation Instructions:

  • Check your Clojars account for any unauthorized package deployments
  • Review the deployment history for packages you maintain
  • Look for version updates or new packages you didn't authorize
  • Check for any changes to package metadata or dependencies
  • Verify if there are any suspicious dependencies added to your packages
  • Review GitHub Actions or CI/CD pipelines that might be using the token

Mitigation Instructions:

  • Log in to your Clojars account at https://clojars.org/
  • Navigate to the "Tokens" section in your account settings

  • Identify the compromised token and revoke it immediately

  • Create a new token with appropriate permissions if needed
  • Update any legitimate CI/CD pipelines or build systems with the new token
  • Review and audit all packages published during the time the token was

compromised

  • Consider adding a notification system for new deployments to your account
  • Implement proper secret management practices in your development workflow