Codecov was a victim of a supply chain attack

Pierluigi Paganini April 19, 2021

The software company Codecov suffered a security breach, threat actors compromised the supply chain of one of its tools.

A new supply chain attack made the headlines, the software company Codecov recently disclosed a major security breach after a threat actor compromised its infrastructure to inject a credentials harvester code to one of its tools named Bash Uploader.

Code coverage is one of the major metrics companies, it provides code testing solutions to a broad range of organizations, including Atlassian, P&G, GoDaddy, and the Washington Post.

The security breach took place on January 31, but it was discovered on April 1st by one of its customers.

“On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.” reads the security update provided by the software company.

Once discovered the breach, Codecov immediately secured its infrastructure and began investigating the incident with the support of a third-party forensic firm. The company also reported the incident to law enforcement.

The investigation revealed that the threat actor gained periodic access to the Bash Uploader script making changes to add malicious code. The malicious code would allow the attacker to intercept uploads and scan and collect any sensitive information, including credentials, tokens, or keys.

The security breach also impacted many other products of the company using the Bash Uploader script, including Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step.

According to the company, the tainted version of the Bash Uploader script could potentially affect:

  • Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
  • Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
  • The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

The company recommends affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.

Below a list of countermeasures adopted by the company to address this situation: 

  • rotating all relevant internal credentials, including the key used to facilitate the modification of the Bash Uploader;
  • auditing where and how the key was accessible;
  • setting up monitoring and auditing tools to ensure that this kind of unintended change cannot occur to the Bash Uploader again; and
  • working with the hosting provider of the third-party server to ensure the malicious webserver was properly decommissioned.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment