27 Apr
2021
27 Apr
'21
8:39 a.m.
Hi, I found this in my news feed today: The codecov-bash script that is used to upload codecov reports from CI to codecov.io was maliciously modified to collect sensitive information and send to a third party server. Things like private keys, credentials, auth tokens used in the CI might be compromised. https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-has... https://about.codecov.io/security-update/ I'm not using codecov, and I have vague understanding how it works, but I've seen it used in Boost libraries' CI. I don't know if they are affected, this is an FYI to the maintainers.