HashiCorp's code signing key compromised

The key HashiCorp use to sign downloads of such popular tools as Terraform and secrets management tool Vault has been compromised after a 3rd party tool used to scan code was compromised. The key, which doesn't appear to have been held in a hardware device, was exfiltrated to by and to persons unknown.This was a week ago but has received surprisingly little coverage.