HashiCorp, an open-source company whose Terraform product is widely used for automated cloud deployments, has revealed a private code-signing key was exposed thanks to the compromised Codecov script discovered earlier this month.
Codecov, which provides tools to assess how much of an application’s code is subject to unit tests, reported that a script used to upload data to its servers was modified to export credentials to an attacker’s server. The company said it had “not been able to determine conclusively who carried out the event.”
HashiCorp, one of Codecov’s 29,000 customers, has confirmed it was among those hit. Specifically, it said a subset of HashiCorp’s CI pipelines used the affected Codecov component and the GPG private key used for signing hashes used to validate HashiCorp product downloads… was exposed.
The exposure means that potentially the attacker could have modified HashiCorp products while signing them with a genuine key, but the company said the investigation has not revealed evidence of unauthorized usage. It has validated existing releases, revoked the exposed key, and re-signed its downloads with a new key.