Backdoored developer tool that stole credentials escaped notice for 3 months
AWS credentials and private repository tokens could allow self-perpetuating attacks. A publicly available software development tool contained malicious code that stole the authentication credentials that apps need to access sensitive resources. It's the latest revelation of a supply chain attack that has the potential to backdoor the networks of countless organizations. The Codecov bash uploader contained the backdoor from late January to the beginning of April, developers of the tool said on Thursday. The backdoor caused developer computers to send secret authentication tokens and other sensitive data to a remote site controlled by the hackers. The uploader works with development platforms including Github Actions, CircleCI, and Bitrise Step, all of which support having such secret authentication tokens in the development environment. ... https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/ _______________________________________________ Medianews mailing list [email protected] http://etskywarn.net/mailman/listinfo/medianews_etskywarn.net
