Leaked credentials for deploying Nexus repository manager on repo.eclipse.org

Mikaël Barbero, an expert at the Eclipse Foundation, a non-profit organization that coordinates work on Eclipse projects, has confirmed that confidential data was leaked to a repository on GitHub, which could have affected repo.eclipse.org.

The Eclipse Foundation learned about the problem on February 16 this year from a developer under the alias gomer ben. In particular, the credentials for deploying the Nexus repository manager on the repo.eclipse.org site have leaked (login / password, API key, tokens). The credentials were encrypted, but the master password was also present in the leak. Although not in plain text, it is very easy to decipher and then use to decrypt credentials, Barbero said.

Leaked credentials provide full control (read / write / delete) over all Maven repos at repo.eclipse.org. With their help, attackers can:

  • Remove all posted items. This is very dangerous, but not critical, since the project regularly backs up;

  • Add classes with malicious code to the JAR that can run on the systems where they are deployed;

  • Modify some pom.xml files to add / modify dependencies so that subsequent users will retrieve those dependencies (potentially containing malicious code).

As soon as the problem became known, the leaked credentials were revoked. New credentials were soon deployed for all Jenkins installations requiring deployment capability.

“We have conducted a thorough audit and are confident that not a single release artifact has been compromised. Checking snapshot artifacts turned out to be a little more difficult. We did not find any evidence that they were infected, but we have no evidence to the contrary, ”said Barbero.

Previous Post Next Post