HashiCorp is the latest victim of Codecov supply-chain attack

Bleeping Computer

Open-source software tools and Vault maker HashiCorp disclosed a security incident yesterday that occurred due to the recent Codecov attack.

HashiCorp, a Codecov customer, has stated that the recent Codecov supply-chain attack aimed at collecting developer credentials led to the exposure of HashiCorp’s GPG signing key.

The private key is used by HashiCorp to sign and verify software releases, and has since been rotated as a precaution.

Full article