From: Andrey Semashev (andrey.semashev_at_[hidden])
Date: 2021-04-27 08:39:29
I found this in my news feed today:
The codecov-bash script that is used to upload codecov reports from CI
to codecov.io was maliciously modified to collect sensitive information
and send to a third party server. Things like private keys, credentials,
auth tokens used in the CI might be compromised.
I'm not using codecov, and I have vague understanding how it works, but
I've seen it used in Boost libraries' CI. I don't know if they are
affected, this is an FYI to the maintainers.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk