Codecov has disclosed a security incident involving its Bash Uploader script, a tool that provides a framework and language-agnostic method for sending coverage reports to Codecov. The company said that an unauthorized party had gained access to Bash Uploader and modified it without permission.
Codecov provides highly integrated tools for developers and engineering leaders to gain actionable visibility into their code coverage.
Codecov said it learned of the hack on April 1, 2021. Further investigation revealed that attackers were able to gain access because of an error in Codecov’s Docker image creation process that allowed them to extract the credentials required to modify the Bash Uploader script.
“Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users' continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,” the company said.
“The Bash Uploader is also used in these related uploaders: Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step (together, the “Bash Uploaders”). Therefore, these related uploaders were also impacted by this event.”
The altered version of the Bash Uploader script could potentially affect:
-Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
-Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
-The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
Codecov chief executive Jerrod Engelberg said the company has rotated all relevant internal credentials, including the key used to facilitate the modification of the Bash Uploader; and conducted audits to determine where and how the key was accessible.
The company said it had notified users who may have been affected by the breach. It recommends users to “immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.”
