Hacker News new | past | comments | ask | show | jobs | submit login
Secure env vars of all public travisci repositories were injected into PR builds (twitter.com/peter_szilagyi)
129 points by eatonphil on Sept 14, 2021 | hide | past | favorite | 5 comments

> No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen

If it wasn't clear before that everyone should get off travis (and it was), this should be the thing that makes it clear. This is not a trustworthy company anymore. Which is sad when they really used to be.

Private equity running it into the ground.

The deeply buried security bulletin: https://travis-ci.community/t/security-bulletin/12081

Another HN thread, although this one seems to be getting the upvotes: https://news.ycombinator.com/item?id=28523350

This is shockingly bad, but the response is completely inexcusable. Agree with other comments, people should get off Travis-CI immediately.

My concern now is that I will need to double check all my npm dependencies that could have potentially been affected by this, because it's very feasible that creds were leaked that could lead to an attacker surreptitiously injecting malicious code into a build.

If anyone needs a Python script to help identify which TravisCI projects (could have been) affected, we put one together: https://gist.github.com/xavdid/f8d89a98d4f791c7b347d73652a47...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact