Codecov discloses 2.5-month-long supply chain attack

Codecov, a software company that provides code testing and code statistics solutions, disclosed on Thursday a major security breach after a threat actor managed to breach its platform and add a credentials harvester to one of its tools.

The impacted product is named Bash Uploader and allows Codecov customers to submit code coverage reports to the company's platform for analysis.

Codecov said the breach occurred "because of an error in Codecov's Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script."

Attacker collected customer creds for 2.5 months

The attacker gained access to the Bash Uploader script on January 31 and made periodic changes to add malicious code that would intercept uploads and scan and collect any sensitive information like credentials, tokens, or keys.

Codecov said it first learned of the breach on April 1 and has been working with a forensics firm to untangle the attacker's actions.

The company disclosed the incident yesterday when it also sent emails with instructions to its customer base, which includes some big names like Atlassian, P&G, GoDaddy, the Washington Post, Tile, Dollar Shave Club, and Webflow.

But the security breach is not limited to clients who used the Bash Uploader script. Because the script is also embedded in other products, a large chunk of the company's customers are most likely affected.

Other Codecov products that used the tainted script include Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step.

Codecov customers that used any of these tools are advised to change any credentials they sent over the air to Codecov's platforms over the past two and a half months.

Incident fallout to be seen in months

The Codecov incident is yet another instance of a supply chain attack, where hackers gain access to the company's product and use it to attack its customers.

The fallout from this breach will most likely come to light in the following months, as the attacker uses the stolen credentials to attack other companies and steal their data.

Something similar happened in July 2020 when a hacker breached Git analytics provider Waydev, stole GitHub and GitLab OAuth tokens from its customers, and then abused those tokens to access those companies' internal networks and steal sensitive information. One of those victims was digital banking tech unicorn Dave.