Skip to content

NuGet API Key

Service Name: NuGet

Service Description: NuGet is the package manager for .NET development. It enables developers to create, share, and consume useful .NET libraries and tools. NuGet client tools provide the ability to produce and consume packages.

Service Address: https://www.nuget.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through Azure DevOps if using Azure Artifacts for private NuGet feeds.

Secret Access Scope: Grants the ability to publish, update, and manage NuGet packages on the NuGet Gallery or private NuGet feeds.

Secret Revokement URL: https://www.nuget.org/account/apikeys

Secret Example: oy2p4uxqhkadgjfxap6vkpecbmeo6laksjdhfueyt35fsytq

Suspicious Activity Investigation Instructions:

  • Check the NuGet account for unauthorized package publications or updates
  • Review the API key usage history in your NuGet account
  • Verify the integrity of packages published under your account
  • Check for unexpected package versions or modifications
  • Review package download statistics for unusual patterns
  • Examine the package contents for potentially malicious code

Mitigation Instructions:

  • Log in to your NuGet account at https://www.nuget.org/account
  • Navigate to the API Keys section

  • Identify the compromised API key

  • Click "Revoke" or "Delete" to invalidate the key
  • Create a new API key with appropriate scopes
  • Update any legitimate CI/CD pipelines with the new API key
  • Review all packages published during the suspected compromise period
  • Consider publishing updated versions of any potentially compromised packages
  • Enable two-factor authentication on your NuGet.org account if available