Security News > 2021 > April > HashiCorp reveals exposure of private code-signing key after Codecov compromise
HashiCorp, an open-source company whose Terraform product is widely used for automated cloud deployments, has revealed a private code-signing key was exposed thanks to the compromised Codecov script discovered earlier this month.
Specifically, it said "a subset of HashiCorp's CI pipelines used the affected Codecov component" and "The GPG private key used for signing hashes used to validate HashiCorp product downloads... was exposed."
The exposure means that potentially the attacker could have modified HashiCorp products while signing them with a genuine key, but the company said the "Investigation has not revealed evidence of unauthorized usage." It has validated existing releases, revoked the exposed key, and re-signed its downloads with a new key.
The compromise of the Codecov script was in place for a long period, beginning January 31, and there were a number of altered versions.
Third, the reach of HashiCorp tools into enterprise computing is huge, bigger than that of Codecov.
What should HashiCorp customers do? "Ensure that they download HashiCorp products only from the official release channel," the company said in its statement, which, while true, is not especially illuminating.