Codecov announced on Thursday it suffered a software supply-chain attack in which a hacker managed to modify its Bash Uploader script and possibly got access to sensitive information in customers’ continuous integration (CI) environment.
The platform owners detected the compromise on April 1, but there are indications the first attack occurred in late January.
Codecov is an online platform for code testing and statistics. As the name suggests, Codecov provides tools for code coverage that help devs find undetected bugs in their code.
It has over 29,000 enterprises among its customers, among which are Atlassian, Washington Post, GoDaddy, Procter & Gamble, and Royal Bank of Canada.
And as the name of the script suggests, Bash Uploader helps Codecov customers to send code coverage reports to the platform.
Starting January 31, the attackers have been working to change the script so that it sends data from the customers’ environment to their server, as is visible on line 525 on GitHub.
The exploited vulnerability stemmed from an error in the process of creating Codecov’s Docker image. The bug allowed extracting customer credentials. Codecov says that the threat actor could have exfiltrated the following sensitive data:
- Credentials, tokens, or keys that Codecov customers passed through their CI runner
- Services, datastores, and application code accessible with these credentials, tokens, or keys
- The git remote information of repositories using the Bash Uploaders to upload coverage to Codecov in CI
Codecov recommends affected users changing all credentials, tokens, or keys used in the CI processes that relied on Bash Uploader.
Codecov first learned of the compromise when a customer alerted them the hash value for the Bash Uploader script on GitHub did not match that of the downloaded file.
“Based upon the forensic investigation results to date, it appears that there was periodic, unauthorized access to a Google Cloud Storage (GCS) key beginning January 31, 2021, which allowed a malicious third-party to alter a version of our bash uploader script to potentially export information subject to continuous integration (CI) to a third-party server,” the Codecov team said.
Codecov patched the script on April 1, 2021.