StatusĬodeCov has taken action to remedy the situation, as has HashiCorp. This means a hacker can sign binaries on behalf of HashiCorp and there would be no way of knowing which binaries are legitimate from HashiCorp and which are tampered with. HashiCorp uses CodeCov’s uploader and as a result, their GPG signing key was exposed. This enabled hackers to modify the script and monitor data as it was uploaded to CodeCov including secrets, that were used in the CI pipeline. Late last week it was brought to our attention that CodeCov suffered an attack in which attackers gained access to their bash uploader script and modified it without CodeCov’s permission. Recommended Actions - Update your Terraform and CodeCov software ASAP Synopsis
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |