Clojars Deploy Token
Service Name: Clojars
Service Description: Clojars is a community repository for open source Clojure libraries. It's similar to Maven Central but focused on Clojure libraries and applications.
Service Address: https://clojars.org/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants the ability to deploy (publish) Clojure libraries to the Clojars repository. A deploy token provides write access to publish packages under a specific user account or organization.
Secret Revokement URL: https://clojars.org/tokens
Secret Example: CLOJARS_a1b2c3d4e5f6g7h8i9j0
Suspicious Activity Investigation Instructions:
- Check your Clojars account for any unauthorized package deployments
- Review the deployment history for packages you maintain
- Look for version updates or new packages you didn't authorize
- Check for any changes to package metadata or dependencies
- Verify if there are any suspicious dependencies added to your packages
- Review GitHub Actions or CI/CD pipelines that might be using the token
Mitigation Instructions:
- Log in to your Clojars account at https://clojars.org/
-
Navigate to the "Tokens" section in your account settings
-
Identify the compromised token and revoke it immediately
- Create a new token with appropriate permissions if needed
- Update any legitimate CI/CD pipelines or build systems with the new token
- Review and audit all packages published during the time the token was
compromised
- Consider adding a notification system for new deployments to your account
- Implement proper secret management practices in your development workflow