aminya
commented
3 years ago The latest binaries for Windows are not working #635. I'm afraid that they are compromised!
Closed WebFreak001 closed 3 years ago
aminya
commented
3 years ago The latest binaries for Windows are not working #635. I'm afraid that they are compromised!
WebFreak001
commented
3 years ago I think that they are not working is probably not related to the security incident (codecov is not used in this project)
I don't know why they are not working, thought about switching to GitHub actions for better insights and maintainability of the build process though which could help in finding this.
I got an email from GitHub saying that the CodeCov bash script was compromised and stole access tokens being used with it. It additionally noted that the access token I had currently configured with dlang-community's Travis might have been compromised and has made suspicious API requests.
I have revoked the access token so a new one needs to be setup in Travis, however I can't seem to access the secrets anymore. (or I just can't find it)
So opening this so we could decide if we want to configure a new access token with someones account or possibly consider switching to GitHub Actions (not for added security, users there were also affected by this, but for convenience)
I think this affects all dlang-community repositories that use Travis for releases (as I have updated all of them when they broke from previous owner)
CodeCov was compromised January 31st, 2021 and malicious activity might range back until then. (or more accurately whenever the first CI run in a project with codecov and the configured access tokens was done) The compromised access token had access to public_repo using my account.