Jetzt registrieren

The intrusion at San Francisco-based software auditing company Codecov affected an unknown number of its 29,000 customers.

Threat actors who managed to breach the popular developer tool, Codecov remained undetected for 2 months, and reportedly hacked over hundreds of customer networks. Recently, HashiCorp disclosed that their GPG private signing key used for signing and validating software packages was exposed due to this attack and has since rotated the key.

However, anyone surveying open-source projects using Codecov is aware many more customers have been impacted and as such, this event has been likened to the SolarWinds supply chain attack, and has gotten the attention of U.S. federal investigators.

But, let’s take a step back, and ask, how did this happen? Codecov’s Bash Uploader script hosted on their server was compromised from credentials collected from a flawed Docker image.

In this session, join Ax Sharma, Ilkka Turunen , and Jorn Knuttila to:

  • Learn about the Codecov incident, how it unfolded, and its latest developments
  • How could it have been prevented
  • Why has container security important for Docker and Kubernetes images running in cloud-native environments
  • Lessons learned and what steps can we take to prevent such attacks in future



Jorn Knuttila
Solution Engineer
Ax Sharma
Security Researcher
Ilkka Turunen
Field CTO
Sonatype Envelope

Möchten Sie sich selbst von Nexus-Produkten überzeugen?

Sonatype, die Entwicklungslösung der Superlative