26 April 2021

HashiCorp discloses security incident following Codecov supply-chain attack


HashiCorp discloses security incident following Codecov supply-chain attack

HashiCorp, a software company that provides modular DevOps infrastructure provisioning and management products, has disclosed a security incident related to the recent Codecov’s Bash Uploader hack.

Earlier this month, Codecov said bad actors got access to its Bash Uploader script, a tool that provides a framework and language-agnostic method for sending coverage reports to Codecov, and modified it without permission. The attackers were able to gain access because of an error in Codecov’s Docker image creation process that allowed them to extract the credentials required to modify the Bash Uploader script. The breach took place in January this year but was detected only in April, thanks to a security-conscious user, who discovered that SHA-1 checksum for the Github version of Codecov Bash Uploader and the SHA-1 checksum for the downloaded Bash Uploader version didn’t match.

Previously, it was reported that hackers who modified Codecov’s Bash Uploader tool have used it to gain restricted access to hundreds of networks belonging to the company’s customers.

In its recent press release HashiCorp said it “was impacted by a security incident with a third party (Codecov) that led to potential disclosure of sensitive information” and that “the GPG private key used for signing hashes used to validate HashiCorp product downloads was exposed.”

While the company said it has not found any evidence the exposed GPG private key has been misused, it has revoked the affected GPG keypair and issued a new GPG keypair.

HashiCorp also said that the breach only affected its SHA256SUM signing mechanism.

“MacOS code signing/notarization and Windows AuthentiCode signing of HashiCorp releases for those platforms were unaffected by the exposed GPG key in question,” according to the company.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021