Buongiorno, https://www.schneier.com/blog/archives/2021/04/backdoor-found-in-codecov-bas... --8<---------------cut here---------------start------------->8--- Developers have discovered a backdoor in the Codecov bash uploader. It’s been there for four months. We don’t know who put it there. Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,” the company warned. Codecov’s Bash Uploader is also used in several uploaders — Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step — and the company says these uploaders were also impacted by the breach. According to Codecov, the altered version of the Bash Uploader script could potentially affect: * Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed. * Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys. * The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI. Add this to the long list of recent supply-chain attacks. --8<---------------cut here---------------end--------------->8--- Tragicomicamente, la pagina principale del software https://about.codecov.io/ recita proprio: --8<---------------cut here---------------start------------->8--- Ship healthier code faster with less risk. Development cycles are spinning faster than ever... With everything from doorbells to rockets running on code, it's more important than ever to ensure quality code is being delivered with every release. Code coverage is one of the most important metrics companies rely on to ship healthier code, faster, and with less risk. Codecov gives companies actionable coverage insights when and where they need them to ensure they are shipping quality code. --8<---------------cut here---------------end--------------->8--- Ma Codecov userà Codecov?!? C'è un problema di bootstrapping? B-) D'altronde cosa potrebbe andar storto quando per installare il software si deve fare: "bash <(curl -s https://codecov.io/bash)" [1] ?!? :-O D'altronde cosa potrebbe andar storto quando si usano un po' toppo allegramente le "ricette" Docker per creare gli ambienti di deployment [2]?!? --8<---------------cut here---------------start------------->8--- The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script --8<---------------cut here---------------end--------------->8--- ...se l'avessi fatto io sarei già stato (metaforicamente!) esiliato in orbita attorno a Saturno :-O Saluti, Giovanni. [1] https://docs.codecov.io/docs/about-the-codecov-bash-uploader [2] https://www.securityweek.com/codecov-bash-uploader-dev-tool-compromised-supp... -- Giovanni Biscuolo Noi, incompetenti come siamo, non abbiamo alcun titolo per suggerire alcunché.