Ivanovanton65096EF9-EAFC-49DA-B49A-5B88C0203CA6Github token with wide access to Nuxt related repositories leaked in the wild
0.003 Low
EPSS
Percentile
67.8%
Description
If you visit https://nuxt.com, you will find hardcoded Github token in the source code of the page - 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.
This token has access to multiple repositories under nuxt , nuxtlabs and nuxt-themes Github organisations.
https://github.com/nuxt
Admin permissions to 86 repositories (33 of them are private):
[ADMIN EDIT: Private repositories redacted at the request of the maintainer]
nuxt/nuxt
nuxt/vue-meta
nuxt/nuxtjs.org
nuxt/docs
nuxt/todomvc
nuxt/example-auth0
nuxt/benchmarks
nuxt/hackernews
nuxt/cli-draft
nuxt/hacker-news-pwas
nuxt/create-nuxt-app
nuxt/youch
nuxt/css-loader
nuxt/friendly-errors-webpack-plugin
nuxt/vue-devtools
nuxt/babel-preset-app
nuxt/renovate-config-nuxt
nuxt/codesandbox-nuxt
nuxt/eslint-config
nuxt/nuxt-redirects
nuxt/rfcs
nuxt/press
nuxt/eslint-plugin-nuxt
nuxt/actions-yarn
nuxt/nuxt-services-experimental
nuxt/vercel-builder
nuxt/loading-screen
nuxt/http
nuxt/typescript
nuxt/markdown
nuxt/test-utils
nuxt/blueprints
nuxt/components
nuxt/content
nuxt/telemetry
nuxt/modules
nuxt/image
nuxt/nitro-demo
nuxt/assets
nuxt/vite
nuxt/postcss8
nuxt/framework
nuxt/starter
nuxt/nuxt-movies
nuxt/devtools
nuxt/nuxt3-stubs
nuxt/module-builder
nuxt/bridge
nuxt/movies
nuxt/nuxt.new
nuxt/examples
nuxt/.github
nuxt/governance
https://github.com/nuxtlabs
Push permissions to 81 repositories (64 of them are private), also admin permissions to 4 of them:
[ADMIN EDIT: Private repositories redacted at the request of the maintainer]
nuxtlabs/vue-telescope-analyzer
nuxtlabs/vue-telescope-website
nuxtlabs/vue-telescope-extensions
nuxtlabs/guides-examples
nuxtlabs/demo-blog-nuxt-content
nuxtlabs/examples
nuxtlabs/pwa-module
nuxtlabs/nuxtjs.org
nuxtlabs/github-module
nuxtlabs/vscode-mdc
nuxtlabs/tiptap-markdown
nuxtlabs/.github
nuxtlabs/nuxt-component-meta
nuxtlabs/starter
nuxtlabs/mdc-api
nuxtlabs/docus-theme-starter
nuxtlabs/studio-demo
https://github.com/nuxt-themes
Push permissions to 10 repositories (2 of them are private):
[ADMIN EDIT: Private repositories redacted at the request of the maintainer]
nuxt-themes/docus
nuxt-themes/docus-docs-starter
nuxt-themes/config
nuxt-themes/alpine
nuxt-themes/starter
nuxt-themes/typography
nuxt-themes/alpine-starter
nuxt-themes/.github
Proof of Concept
% curl https://nuxt.com/ | grep -o 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
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
% curl -sS -f -I -H "Authorization: token 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" https://api.github.com
HTTP/2 200
server: GitHub.com
...
x-oauth-scopes: read:org, repo, user
...
Related
