Skip to content

Gemfury Deploy or Push Token

Service Name: Gemfury

Service Description: Gemfury is a cloud repository for your private packages. It provides hosting for Ruby gems, npm modules, Python packages, and other dependency types with a simple push mechanism.

Service Address: https://gemfury.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level for Enterprise plans

Secret Access Scope: Grants ability to push, deploy, and manage packages on the Gemfury repository. Depending on the token permissions, it may allow read-only or read-write access to specific packages or all packages in an account.

Secret Revokement URL: https://manage.fury.io/tokens

Secret Example: 6EsNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Suspicious Activity Investigation Instructions:

  • Review the Gemfury account activity logs for unauthorized package uploads or modifications
  • Check for unexpected package versions or new packages in your repository
  • Verify if any existing packages have been modified unexpectedly
  • Look for unusual IP addresses accessing your Gemfury account
  • Check for any changes to package access permissions

Mitigation Instructions:

  • Immediately revoke the compromised token by navigating to your Gemfury account dashboard

  • Go to the Account Settings > API Tokens section

  • Delete the compromised token
  • Generate a new token with appropriate permissions
  • Update all legitimate CI/CD pipelines and deployment scripts with the new token
  • Review and audit all packages in your repository for unauthorized modifications
  • Enable two-factor authentication for your Gemfury account if available
  • Consider implementing IP restrictions for your Gemfury account if on an

Enterprise plan