[dbrgn]

How would they do that? The bash script is a static file on a public host. Users can simply download it, without Codecov knowing about the repos it's being used in.

Never automatically download any remote code without at least checking the checksum.

[mikedd65]

The e-mail they sent includes "Unfortunately, we can confirm that you were impacted by this security event." which means that they know. I guess there is an API endpoint that is specific to Bash Uploader and they use that + dates of API requests to figure out who was impacted. This must also contain the repository info (and they just confirmed that they can figure this out).

[celticninja]

That may be wrong. I use the ruby gem and the email says that would not be affected but at the same time the email says I was affected. I'm re-rolling to be sure, but it would help not having conflicting information in the same email.