HashiCorp, a software company that provides modular DevOps infrastructure provisioning and management products, has disclosed a security incident related to the recent Codecov’s Bash Uploader hack.
Earlier this month, Codecov said bad actors got access to its Bash Uploader script, a tool that provides a framework and language-agnostic method for sending coverage reports to Codecov, and modified it without permission. The attackers were able to gain access because of an error in Codecov’s Docker image creation process that allowed them to extract the credentials required to modify the Bash Uploader script. The breach took place in January this year but was detected only in April, thanks to a security-conscious user, who discovered that SHA-1 checksum for the Github version of Codecov Bash Uploader and the SHA-1 checksum for the downloaded Bash Uploader version didn’t match.
Previously, it was reported that hackers who modified Codecov’s Bash Uploader tool have used it to gain restricted access to hundreds of networks belonging to the company’s customers.
In its recent press release HashiCorp said it “was impacted by a security incident with a third party (Codecov) that led to potential disclosure of sensitive information” and that “the GPG private key used for signing hashes used to validate HashiCorp product downloads was exposed.”
While the company said it has not found any evidence the exposed GPG private key has been misused, it has revoked the affected GPG keypair and issued a new GPG keypair.
HashiCorp also said that the breach only affected its SHA256SUM signing mechanism.
“MacOS code signing/notarization and Windows AuthentiCode signing of HashiCorp releases for those platforms were unaffected by the exposed GPG key in question,” according to the company.