lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Sonatype Nexus Repository

SonatypeCI/CD3 credentials

Credentials3 documented
01

Administrator Password

sonatype-nexus / admin-password

Nexus Repository uses administrator and user accounts for UI and API access. Sonatype documentation covers resetting the admin password and local/remote authentication integrations.

generated on installuser definedsecretusername/password

Location

database

Nexus security database storing users, roles, and password verifier data

config file

nexus.properties, runtime environment configuration, and deployment manifests

public interface
Nexus Repository UI and REST APIs
secret store

Kubernetes Secrets, cloud secret managers, and deployment vaults

source code

Docker Compose files, Helm values, tests, and committed configuration

logs

startup logs, admin password reset output, and authentication traces

Notes

Initial administrator passwords are deployment-generated or operator-set; do not treat examples as universal defaults.

02

User Token

sonatype-nexus / user-token

Nexus Repository supports user tokens as an alternative to using a user's real password with package managers and repository clients. Sonatype docs cover user tokens and migrations between authentication backends.

user definedsecrettoken

Location

http header
Authorization

Basic authentication using Nexus user-token name/code or token-derived credentials

database

Nexus token and user security stores

config file

Maven settings.xml, npmrc, pip.conf, NuGet config, Docker config, and CI manifests

environment
NEXUS_USERNAME, NEXUS_PASSWORD, NEXUS_TOKEN
secret store

CI/CD variables, build platform secrets, and cloud secret managers

source code

build scripts, dependency manager config, tests, and committed examples

logs

package manager debug logs and CI output

Notes

User tokens inherit the repository privileges of the owning Nexus user.

03

Database / Blob Store Secret

sonatype-nexus / database-blobstore-secret

Nexus Repository deployments can use external databases and blob stores. Runtime environment and storage documentation include database and cloud storage credentials used by the repository manager.

user definedsecretusername/password

Location

config file

nexus.properties, database config, blob store config, and deployment manifests

environment
NEXUS_DATASTORE_USERNAME, NEXUS_DATASTORE_PASSWORD, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
secret store

External Secrets Operator, Kubernetes Secrets, cloud secret managers, and database vault entries

source code

Helm values, Docker Compose files, and committed deployment config

logs

runtime connection errors and support bundles

Notes

These secrets can expose repository metadata, artifacts, blob stores, and credentials stored by integrations.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.