Kdo vlastní filmy „koupené v iTunes, porno spam na Signalu a firemní profily na Twitteru lupa.cz - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from lupa.cz Daily Mail and Mail on Sunday newspapers.
HashiCorp is the latest victim of Codecov supply-chain attack
By
02:16 AM
Open-source software tools and Vault maker HashiCorp has disclosed a security incident that occurred due to the recent Codecov attack.
HashiCorp, a Codecov customer, has stated that the recent Codecov supply-chain attack aimed at collecting developer credentials led to the exposure of HashiCorp s GPG signing key.
The private key is used by HashiCorp to sign and verify software releases, and has since been rotated as a precaution.
HashiCorp discloses code-signing key compromise
This week, HashiCorp, a notable open-source software tools and infrastructure provider, disclosed that the recent Codecov supply-chain attack had impacted a subset of their Continuous Integration (CI) pipelines.
iTWire Wednesday, 21 April 2021 11:21 Software auditing tool maker Codecov breached, upload script modified Featured Pixabay
Software auditing tool maker Codecov has had its systems breached and the attackers are now reportedly using its bash uploader script to gain access to hundreds of its customers networks.
The attackers were able to modify the upload script and gained access to do this because to a mistake in its creation of a Docker image.
Codecov said in
a statement issued on 15 April that it became aware of the incident on 1 April, but there had been unauthorised entry to its systems from 31 January onwards.
Reuters
Codecov Supply Chain Attack May Hit Thousands: Report
Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine
Experts have urged organizations to reassess cyber-risk in their supply chains as it emerged that hundreds of customers of a software auditing company had their networks accessed illegally.
Originally thought only to have affected the supplier, San Francisco-based Codecov, the incident is now believed to have been a deliberate supply chain attack likened in sophistication to the SolarWinds operation.
Investigators told Reuters that the attack had already led to hundreds of customers’ networks being accessed. Codecov’s customer-base of around 29,000 includes many big tech brands such as IBM, Google, GoDaddy and HP, as well as publishers (
By Juha Saarinen on Apr 20, 2021 12:14PM
Scores of projects potentially affected by supply chain attack.
A malicious alteration to a shell script lay undetected since January this year at software testing coverage report provider Codecov, sparking fears of another significant supply chain attack.
Forensic analysis shows that an unknown threat actor exploited an error in Codecov s Docker container image creation process, and gained access to the credential that allowed the modification to the company s Bash Uploader script.
Codecov said a Google Cloud Storage key was accessed starting January 31 this year, and not secured until April 1 US time.
The script is normally used to upload coverage reports to Codecov, but it was altered to transmit the UNIX shell environment, which can be used to store variables.