Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach.
CodeCov, a little-known startup considered the vendor of choice for measuring code coverage in the tech industry, has shipped an entirely new Uploader using NodeJS to replace the Bash Uploader dev tool that was compromised in a recent software supply chain attack.
“We initiated this project because, as usage of Codecov has grown and our development velocity has increased, the Bash Uploader has become increasingly complex to properly maintain,” CodeCov said.
The company said that Bash Uploader, over time, added many “magic features” that were difficult to reason through and support against an ever-increasing number of use cases and warned that the distribution mechanism of choice [curl pipe to bash] “is notoriously problematic from a security perspective.”
[ SEE: CodeCov Discloses Ominous Software Supply Chain Hack ]
CodeCov said the weaknesses of that distribution mechanism was the cause of the incident, which claimed a range of victims including HashiCorp, Mozilla, Twilio, and Rapid7.
“To combat this incident from a product perspective we initially provided better documentation on how to verify the Codecov Bash Uploader until our new Uploader was complete, but our ultimate long-term goal has always been to replace the Bash Uploader altogether, '' the company said in a blog post.
CodeCov said the new Uploader using NodeJS is shipped as a static binary executable on the Windows, Linux, Alpine Linux, and macOS operating systems.
“We will be deprecating a ..
Support the originator by clicking the read the rest link below.
