NuGet API Key
Detects NuGet.org API keys (oy2 prefix), used to push packages to the NuGet gallery. A leaked key lets an attacker publish or unlist packages under the owner's account.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the oy2 prefix with a fixed 43-character lowercase base32 body is specific to NuGet.org API keys.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 8
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9])oy2[a-z0-9]{43}(?![A-Za-z0-9])Corroborative evidence keywords
nuget, nuget.org, api key, apikey, dotnet nuget push, NUGET_API_KEY, package source
Proximity: 300 characters
Should match
oy2abcdefghijklmnopqrstuvwxyz0123456789abcdefg— NuGet API key, oy2 prefix + 43 base32 charsNUGET_API_KEY=oy2mnbvcxzlkjhgfdsapoiuytrewq0123456789abcdefg— Labelled NuGet key in an env assignmentoy2zyxwvutsrqponmlkjihgfedcba0987654321zyxwvut— Another NuGet key body
Should not match
oy2abcdefghijklmnopqrstuvwxyz— Too short to be a valid NuGet keyoy3abcdefghijklmnopqrstuvwxyz0123456789abcdefg— Wrong prefix (oy3 instead of oy2)run dotnet nuget push with your nuget.org api key— Prose mention without a token value
Known false positives
- Documentation or examples showing placeholder oy2 strings. Mitigation: Require corroborative keywords and check for placeholder markers (example, xxxx).