A publicly available software development tool contained malicious code that stole the authentication credentials that apps need to access sensitive resources. It’s the latest revelation of a supply chain attack that has the potential to backdoor the networks of countless organizations. The Codecov bash uploader contained the backdoor from late January to the beginning of April, developers of the tool said on Thursday . The backdoor caused developer computers to send secret authentication tokens and other sensitive data to a remote site controlled by the hackers. The uploader works with development platforms including Github Actions , CircleCI , and Bitrise Step , all of which support having such secret authentication tokens in the development environment. A pile of AWS and other cloud credentials The Codecov bash uploader performs what is known as code coverage for large-scale software development projects. It allows developers to send coverage reports that, among other things, determine how much of a codebase has been tested by internal test scripts. Some development projects integrate Codecov and similar third-party services into their platforms, where there is free access to sensitive credentials that can be used to steal or modify source code. Code similar to this single line first appeared… Read full this story
- Facebook’s New Tool Outs Phishing Sites Posing as ‘Secure’
- Twitter Is Taking One Final, Stupid Swipe at Developers
- Even in Miami, Venezuelans can't escape the hardships of their homeland
- Katy woman allegedly stole $200K from youth hockey league
- It Looks Like Apple's Tool That Stops Cops From Hacking Your iPhone Isn't Coming to iOS 11.4
- U.S. identifies suspect in major leak of CIA hacking tools
- Months After a Brutal Day in Charlottesville, a Tender Wedding
- Former CIA worker suspected in leak of agency computer hacking tools
- Feds drop charges that Niagara Falls developer stole from Seagrams heirs
- Cold-hearted thief who stole from charity branded 'thoroughly despicable'
Backdoored developer tool that stole credentials escaped notice for 3 months have 302 words, post on arstechnica.com at April 16, 2021. This is cached page on Technology Breaking News. If you want remove this page, please contact us.