New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Important PSA - Codecov.IO Bash Uploader Security Update
nullnothere
Member
in General
There has been a fairly serious backdoor implanted resulting in credential leakage.
If you use/have used their tool, please be sure to revoke/rotate your credentials immediately.
More information:
https://about.codecov.io/security-update/
Ars Technica has coverage here: https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/
Comments
So somebody updates a core component, they do not notice for 3 months and then the line added is this? THIS?
Not some company or software i would ever use.
Really? No email was received. Just logged in to my account and surprise:
In news that should surprise nobody, downloading and executing an arbitrary shell script from a third party server as part of your build process may not be the most secure thing to do. You should really save a local copy to your repo so that changes can be properly audited.
You'd be surprised at how many such issues go under reported and/or get masked under the veneer of automation.
Sometime back, IIRC, there was a similar issue with some similar bad packages that were added into the Node package repository.
This is definitely not going to be the end of such issues.
An interesting read on a related issue is: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610