duncan.dev
🙈

Not your usual supply chain hack

26 April 2021 • 00:20

Supply chain hacks are on the rise. The latest is the Codecov bash uploader blunder, affecting quite a few organizations that use the tool in their Continuous Integration (CI) pipelines.

If you think it through, as one Ycombinator reader did, this means “So the hackers stole every environment variable for the context in which the Codecov script was run. It means that if you use CI to deploy your code, all of your credentials have been leaked.”

If you’re a Codecov user and you haven’t already taken action to rotate your credentials, now’s the time. And, maybe evaluate if you keep using it after this. Seriously.