Threat actors who managed to breach the popular developer tool, Codecov remained undetected for 2 months, and reportedly hacked over hundreds of customer networks. Recently, HashiCorp disclosed that their GPG private signing key used for signing and validating software packages was exposed due to this attack and has since rotated the key.
However, anyone surveying open-source projects using Codecov is aware many more customers have been impacted and as such, this event has been likened to the SolarWinds supply chain attack, and has gotten the attention of U.S. federal investigators.
But, let’s take a step back, and ask, how did this happen? Codecov’s Bash Uploader script hosted on their server was compromised from credentials collected from a flawed Docker image.
In this session, join Ax Sharma, Ilkka Turunen , and Jorn Knuttila to: