> No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen
If it wasn't clear before that everyone should get off travis (and it was), this should be the thing that makes it clear. This is not a trustworthy company anymore. Which is sad when they really used to be.
This is shockingly bad, but the response is completely inexcusable. Agree with other comments, people should get off Travis-CI immediately.
My concern now is that I will need to double check all my npm dependencies that could have potentially been affected by this, because it's very feasible that creds were leaked that could lead to an attacker surreptitiously injecting malicious code into a build.
If it wasn't clear before that everyone should get off travis (and it was), this should be the thing that makes it clear. This is not a trustworthy company anymore. Which is sad when they really used to be.
Private equity running it into the ground.