The attack led to the theft of the HashiCorp GPG signing key and affected part of the continuous integration processes.
Open-source software developer HashiCorp has reported an incident involving an attack on the Codecov supply chain.
According to a representative of HashiCorp, the attack led to the theft of the HashiCorp GPG signature key and affected part of the continuous integration (Continuous Integration, CI) processes. The private key is used by HashiCorp to sign and verify software releases and has since been replaced as a precautionary measure.
“Although the investigation found no evidence of unauthorized use of the GPG public key, it was modified for security reasons to support a secure signing mechanism,” the company explained.
The company has published a new GPG key pair that will be used from now on. Cracked GPG key pair revoked by the developer.
According to HashiCorp, the incident only affected HashiCorp’s SHA256SUM signature mechanism. The theft of the private key did not affect the macOS code signing process as well as the Windows AuthentiCode releases of HashiCorp.
The signing process for Linux packages (Debian and RPM), available at releases.hashicorp.com, has also remained unchanged. However, the Terraform product has not yet been patched to use the new GPG key.
As a reminder, on April 1, 2021, unknown persons obtained unauthorized access to the Codecov Bash Uploader script and modified it without permission.
The attacker was able to gain access due to a bug in Codecov’s Docker image creation process that allowed him to retrieve the credentials required to make changes to the Bash Uploader script.
The Codecov Bash Uploader supply chain attack has remained undisclosed since the beginning of this year and has leaked tokens, keys and credentials of organizations around the world.