Codecov Compromise Results in a Supply Chain Attack Against Some of its Customers

Summary

Software company Codecov, used by over 29,000 enterprises, recently disclosed that they suffered a security breach resulting in a supply chain attack impacting customers that use the Bash Uploader script. On January 31, 2021, threat actors exploited an error in Codecov’s Docker image creation process and were able to access and alter Codecov's Bash Uploader script in order to harvest customer keys, tokens, and credentials. Additionally, the URL of the original repository using the Bash Uploaders, as well as any services, datastores, and application code that are accessed using these customer keys, tokens, or credentials may also be affected. As its name implies, Bash Uploader is a tool used to export customers’ continuous integration (CI) environmental data to Codecov for testing and coding issues. Codecov became aware of the security breach on April 1, 2021 and began notifying affected customers on April 15, 2021. Similar to recent supply chain attacks, the scale of impact and severity of this attack may not be fully understood for some time.

Recommendations

The NJCCIC recommends users of the Bash Uploader tool to audit systems to determine impact. Affected users are urged to immediately re-roll all credentials, tokens, and keys located in the environment variables in CI processes, and replace bash files with the most recent version. Additional information and recommendations can be found in Codecov’s security update and further reporting can be found in the Bleeping Computer article.