Security News > 2021 > April > HashiCorp is the latest victim of Codecov supply-chain attack
Open-source software tools and Vault maker HashiCorp has disclosed a security incident that occurred due to the recent Codecov attack.
HashiCorp, a Codecov customer, has stated that the recent Codecov supply-chain attack aimed at collecting developer credentials led to the exposure of HashiCorp's GPG signing key.
This week, HashiCorp, a notable open-source software tools and infrastructure provider, disclosed that the recent Codecov supply-chain attack had impacted a subset of their Continuous Integration pipelines.
The company states that as a result of this, the GPG key used by HashiCorp to sign and verify software releases was exposed.
MacOS code signing, as well as, Windows AuthentiCode signing of HashiCorp releases, has not been affected by the exposed private key.
As a part of its incident response activities, HashiCorp is further investigating if any other information was exposed from the Codecov incident and plans on providing relevant updates, as the investigation progresses.
News URL
Related news
- OpenWrt orders router firmware updates after supply chain attack scare (source)
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- Ultralytics Supply-Chain Attack (source)
- 390,000 WordPress accounts stolen from hackers in supply chain attack (source)
- Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack (source)
- It's only a matter of time before LLMs jump start supply-chain attacks (source)
- PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack (source)
- IPany VPN breached in supply-chain attack to push custom malware (source)
- Supply chain attack hits Chrome extensions, could expose millions (source)