Introduction of malicious code into Codecov script led to compromise of PGP key HASHICORP

Company hashicorp , known to develop open tools Vagrant , paker , Nomad and terraform , announced about leakage of a closed GPG key used to create digital signatures that verify releases. Attacking, gained access to the GPG key, could potentially make hidden changes in Hashicorp products, assuring their correct digital signature. At the same time, the company stated that during the audit of traces of attempts to make such modifications was not detected.

Currently, the compromised GPG key is recalled and a new key is introduced instead. The problem has affected only verification using Sha256Sum and SHA256SUM.SIG , and did not touch the formation of digital signatures for DEB and RPM Linux packages supplied via releases.hashicorp.com, as well as release confirmation mechanisms for MacOS and Windows (Authenticode).

leakage occurred because of use in the infrastructure of the Codecov Bash Uploader ( codecov-bash ) designed to download Coverage reports from continuous integration systems. During the attack on Codecov, the specified script was hidden Introduced Backdoor, through which password sending and encryption keys to the server intruders.

For hacking Attacking used the error in the process of creating a CodeCov Docker image, which allowed you to extract data for access to GCS (Google Cloud Storage), necessary to make changes to the Bash Uploader script, spread from the site codecov.io. The changes were made on January 31, two months remained unnoticed and allowed the attackers to extract information stored in the environment systems of continuous integration of customers. Including the added malicious code, attackers could receive information about the Git repository test and access to any tokens, encryption keys and passwords transmitted to the continuous integration systems to organize access to the application code, storage facilities and services.

In addition to the direct call, the Codecov Bash Uploader script was used as part of other bootloaders, such as CodecOV-Action (Github), Codecov-Circleci-ORB and Codecov-Bitrise-Step, whose users are also susceptible to the problem. All Codecov-Bash users and related products are recommended to conduct an audit of their infrastructures, as well as change passwords and encryption keys. You can check the availability of backdoor in the script by the presence of rows

/Media reports.