Codecov has released a new uploader to replace its Bash Uploader. New uploader is a cross-platform binary capable of running on Windows, Linux, and MacOS operating systems. Developers have raised concerns with regards to the new release of the new binary. The company has provided a public key key to verify the integrity of the uploader, which is available from the public GPG/PGP key and can be downloaded from Keybase or other Keywords. The new binary is a compiled binary produced from the open-source NodeJS code that the community can audit and contribute to.
Source: https://www.bleepingcomputer.com/news/security/codecov-ditches-bash-uploader-for-a-nodejs-executable/