HashiCorp, an open-source company whose Terraform product is widely used for automated cloud deployments, has revealed a private code-signing key was exposed thanks to the compromised Codecov script discovered earlier this month.
Codecov, which provides tools to assess how much of an application's code is subject to unit tests, reported that a script used to upload data to its servers was modified to export credentials to an attacker's server. The company said it had "not been able to determine conclusively who carried out the event."
HashiCorp, one of Codecov's 29,000 customers, has confirmed it was among those hit. Specifically, it said "a subset of HashiCorp's CI pipelines used the affected Codecov component" and "the GPG private key used for ..
Support the originator by clicking the read the rest link below.
