Home Cyber Crime Codecov ditches Bash Uploader for a NodeJS executable

Codecov ditches Bash Uploader for a NodeJS executable


codecov bash uploader

Software program testing and code protection firm, Codecov has now launched a cross-platform uploader meant to exchange its former Bash Uploader.

This new uploader is offered as a static binary executable at present supporting the Home windows, Linux, and macOS working methods.

The announcement follows the current Codecov supply-chain incident that lasted two months, by which attackers had altered the Codecov Bash Uploader to gather delicate credentials from buyer CI/CD environments.

New NodeJS uploader to exchange Codecov Bash Uploader

This week, Codecov launched a beta launch of its all-new uploader able to working on the Home windows, Linux, Alpine Linux, and macOS working methods.

This uploader, written in NodeJS would change the Bash Uploader that the corporate beforehand had in place to be used by prospects.

“For the final 8 months, Codecov has been creating a brand new uploader that doesn’t depend on the bash script that we at present present to our prospects.”

“We initiated this undertaking as a result of, as utilization of Codecov has grown and our growth velocity has elevated, the Bash Uploader has turn out to be more and more advanced to correctly keep,” stated Codecov CTO Eli Hooten.

Hooten cited a number of causes for taking this step, together with Bash scripts being troublesome to keep up, prolong, distribute, and check, as complexity will increase.

Additional, the “curl | bash” fashion instructions beforehand utilized by the purchasers to add knowledge to Bash Uploader drew scrutiny after the current supply-chain attack by which the Bash Uploader had been compromised.   

“To fight this incident from a product perspective we initially supplied higher documentation on how to verify the Codecov Bash Uploader till our new Uploader was full, however our final long-term aim has at all times been to exchange the Bash Uploader altogether,” continued Hooten.

Moreover, Codecov states their new uploader comes with new options, added advantages, and improved safety.

The uploader is obtainable as a natively compiled binary produced from the open-source NodeJS code that the neighborhood, prospects, and anybody can audit and contribute to.

In a blog post, the corporate additionally defined {that a} compiled binary “makes it tougher for code to be modified by a center man,” and presents enhanced safety in comparison with the previous Bash Uploader.

Furthermore, the brand new uploader combines separate language-specific uploaders right into a single executable.

Nonetheless, some observers have raised considerations almost about the brand new uploader.

Software program developer Maximilian Hils highlighted that the brand new uploader relied on 579 dependencies, and was 43 MB in dimension:

codecov tweet
Developer expresses considerations with the brand new uploader (Twitter)

Hils, who was joined by one other developer Josh Pitts, additional expressed shock at a number of the statements touted by Codecov, that a compiled binary was tougher to change for a man-in-the-middle, and that the brand new Uploader supplied “a safer, verifiable distribution when in comparison with the Bash Uploader.” 

The way to confirm the integrity of the brand new uploader?

Codecov has supplied easy steps that prospects can use to confirm the integrity of its new uploader.

Together with the uploader binary, the corporate offers a checksum (shashum) file which is signed by their public GPG key.

Prospects can run a number of instructions, proven under, to make sure the hash or checksum of the downloaded Uploader matches the hash supplied within the checksum file, and that the checksum file is genuine (signed by Codecov’s GPG key).

codecov new uploader
Instructions to confirm the integrity of the brand new Codecov uploader

Codecov’s PGP public key has the next fingerprint and may be downloaded from Keybase or different keyservers:

Key ID: ED779869
Key Fingerprint: 2703 4E7F DB85 0E0B BC2C 62FF 806B B28A ED77 9869

The brand new uploader, together with the corresponding SHA256SUM, and SHA256SUM.sig information may be downloaded from Codecov’s server.

Codecov breach reportedly impacted lots of of networks

Ever for the reason that Codecov incident was disclosed on April fifteenth, U.S. federal investigators have been fast to step in and claimed that Codecov attackers managed to breach lots of of buyer networks.

Over the subsequent few weeks, as reported by BleepingComputer, a number of firms got here ahead disclosing impression from this two-month-long supply-chain assault:

Codecov timeline
Codecov supply-chain assault timeline up to date 21-Might-2021 (BleepingComputer)

The impacted firms embody software program producer HashiCorp, cloud communications platform Twilio, cloud companies supplier Confluent, insurance coverage firm Coalition, U.S. cybersecurity agency Rapid7, workflow administration platform Monday.com, and most just lately, e-commerce big Mercari.

Contemplating Codecov had over 29,000 prospects with many counting on the beforehand compromised Bash Uploader, the complete impression of the incident could proceed to unfold within the coming months.

Codecov customers ought to scan their CI/CD environments and networks for any signs of compromise, and as a safeguard, rotate any and all secrets and techniques that will have been uncovered.

The newly launched NodeJS uploader that prospects are suggested to change to is anticipated to handle a number of the considerations with Codecov’s former set of uploaders.

In truth, starting Nov 1st, 2021, the corporate will start performing “random unscheduled brownouts” of its Bash Uploader, purposely making it unavailable at instances, and can utterly part it out by February 2022.

Source link