[tractusx-dev] Rotate all your secrets! And we are looking for the respo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[tractusx-dev] Rotate all your secrets! And we are looking for the responsible committer for the portal NPM secrets

From: Mathias Brunkow Moser <mathias.moser@xxxxxxxxxxxx>
Date: Fri, 27 Mar 2026 13:41:34 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=catena-x.net; dmarc=pass action=none header.from=catena-x.net; dkim=pass header.d=catena-x.net; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ktx9NTln2FmCuv8ftN2s/gXxBaqpUsNQcuAEqfXP80w=; b=pqU0ie6pKjrnowcp5g/7beuuUuiznIJLVFHmeFj6gZmT1jvMl067DavelmA89IWcmhn1zduc2ii3X44H5MH5b8ko1Vk3O+ePVRe/Lv6LzjDkQonEn78d1cRAtwxeHLxpe90e2Vi+y/fiMhe7bfvP+VK6+nsbmT0ZG12RO/JmYQqSPpeyVJHV9K609wwxtXjT1bMlhcY5iiLtyja/Ecj8mk1s1b5E661LuR0eJ44Ff+xSuW7B0/QJraIGs7Hex/xWVcWaUYVSm5gOCjq9EMSoNpsad2QixUX8LsHintYlTuYQ+Ht+PtxNePM4K1BvhKDJ1KhS61dhr6kqDHaLsaoW7w==
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=TElJ5/683abJubRwDBm9CRUL+ZOEwJcx6UbNBIH4+E2TNA8MtTKrW+ls3vPe1D7eQmiDmnOiaBnE+boJaZgl/ubp4kMLL8Pkfq5zHk1aqgcdwWKt1vma+aJDa+s0nvZwO6nQhw4uqfi/6Hlm6U+dMiI0eDhekrFVIXVJ2prNrnVpVDfm1Qgq1V9GErmAper7l/bZlggdEe00SbFAYn/r4hRdgJo9sJXQH+t+lQ9N76KJscbHaWYfaVI9ODDOq3g0kl12nOisEUdgF+KSLZjSREB3nNEbRin/oS2pL8sC6bSiE9CvpxxkDptgX+rrku3q/ABhANQjn2Rt1or4yCxyGA==
Delivered-to: tractusx-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/tractusx-dev/>
List-help: <mailto:tractusx-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/tractusx-dev>, <mailto:tractusx-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHcve3ytik+ey8odE2/n2qZE8qCOg==
Thread-topic: Rotate all your secrets! And we are looking for the responsible committer for the portal NPM secrets

Dear Eclipse Tractus-X Community,

We project leads are looking for the responsible committer, or any committer which has knowledge on how the portal shared components NPM package is published.

The eclipse foundation has no control over that, and we need to rotate the secret as soon as possible, since it may have been leaked on the latest Trivy & KICS vulnerability.

Please inform us if you have any hint on how that was done (since this is a critical issue):

https://www.npmjs.com/package/@catena-x/portal-shared-components

All the secrets which are managed by the eclipse foundation were rotated, we are very thankful that they were so lovely and have quickly responded on that manner 😉

For the other committers, we have several secrets which are probably not used and should be deleted!!! If you are using them, please inform us, otherwise we will delete them all, please MUST also rotate any key which was added to our repositories as a secret, as it may be leaked.

Org-level

Veracode => Deleted

Repo-level

item-relationship-service

DEV_ADMIN_USER_API_KEY
DEV_REGULAR_USER_API_KEY
INT_ADMIN_USER_API_KEY
INT_REGULAR_USER_API_KEY
IRS_CUCUMBER_PUBLISH_TOKEN
IRS_XRAY_JIRA_SECRET
IRS_XRAY_JIRA_USER
SONAR_ORGANIZATION
SONAR_PROJECT_KEY
SONAR_TOKEN

portal-backup

NUGET_API_KEY
SONAR_TOKEN

portal-shared-components

NPM_PUBLISH

sig-release

NOTIFICATION_EMAIL_PASSWORD

sldt-bpn-discovery

SONAR_TOKEN

sldt-semantic-models

CLIENT_ID_DEV
CLIENT_ID_INT
CLIENT_SECRET_DEV
CLIENT_SECRET_INT
IDP_URL_DEV
IDP_URL_INT
SEMANTIC_HUB_DEV_BASE
SEMANTIC_HUB_INT_BASE

ssi-authority-schema-registry

SONAR_TOKEN

ssi-credential-issue

SONAR_TOKEN

ssi-dim-wallet-stub

SONAR_TOKEN

traceability-foss

ASSOCIATION_E2E_TXA_HOST
ASSOCIATION_E2E_TXB_HOST
ASSOCIATION_KEYCLOAK_HOST
ASSOCIATION_SUPERVISOR_TX_A_CLIENT_ID
ASSOCIATION_SUPERVISOR_TX_A_PASSWORD
ASSOCIATION_SUPERVISOR_TX_B_CLIENT_ID
ASSOCIATION_SUPERVISOR_TX_B_PASSWORD
ASSOCIATION_TX_JIRA_PASSWORD
ASSOCIATION_TX_JIRA_USERNAME
E2E_TXA_HOST
E2E_TXB_HOST
KEYCLOAK_HOST
ORG_IRS_JIRA_PASSWORD
ORG_IRS_JIRA_USERNAME
SONAR_TOKEN_BACKEND
SONAR_TOKEN_FRONTEND
SUPERVISOR_CLIENT_ID
SUPERVISOR_PASSWORD
TRACE_X_ADMIN_LOGIN
TRACE_X_ADMIN_PW
TRACE_X_API_KEY_ASSOCIATION_INT
TRACE_X_API_KEY_DEV
TRACE_X_API_KEY_INT_A
TRACE_X_API_KEY_INT_B
TRACE_X_SUPERVISOR_LOGIN
TRACE_X_SUPERVISOR_PW
TRACE_X_USER_LOGIN
TRACE_X_USER_PW

traceability-foss-backend

SONAR_TOKEN

tractusx-edc

AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID
AZURE_VAULT_NAME
GPG_PASSPHRASE
GPG_PRIVATE_KEY
SONAR_TOKEN

tractusx-edc-kafka-extension

SONAR_TOKEN

Thank you for your appreciation and work,

Please let us know as soon as possible,

Kind Regards,

Mathias Moser

Chief Software Architect

Eclipse Tractus-X™ Project Lead

Catena-X Automotive Network e.V.

c/o beyond Quartier Heidestrasse

Heidestraße 34 • 10557 Berlin

Tel: +49 151 26515225 

mathias.moser@xxxxxxxxxxxx | LinkedIn

Vereinsregister beim Amtsgericht Berlin (Charlottenburg) Nr VR38942B

Vorstandsvorsitzender: Oliver Ganser

Book time to meet with me

A logo for a company

Description automatically generated

CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to Catena-X Automotive Network e.V. and its associates may be contained in this message. If you are not a recipient indicated or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you should destroy this message and are asked to notify the sender by reply e-mail.

Prev by Date: [tractusx-dev] Action Required: Kubernetes New Release (1.35.3)
Previous by thread: [tractusx-dev] Action Required: Kubernetes New Release (1.35.3)
Index(es):
- Date
- Thread

Breadcrumbs