The following blog was co-authored by Curt Barnard and Caitlin Condon.
On April 15, 2021, code coverage and testing company Codecov announced a supply chain compromise in which a malicious party gained access to their Bash Uploader script and modified it without authorization, enabling the attacker(s) to export CI-related information to a third-party server. The impact is dependent upon the privileges of the CI system executing the modified script, but exfiltrated information could potentially include AWS IAM keys, deploy keys, API keys, service accounts, passwords, authentication tokens, and more. The script itself is not the only impacted Codecov tool: The Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step are also affected. The malicious actor had access to modify the bash uploader script from Jan. 31, 2021 through April 1, 2021.
Codecov’s disclosure does not include any details on the attackers or the IP of the third-party server, the latter of which is “part of an ongoing federal investigation.” Depending on which underlying operating system privileges were in use when running the bash uploader, it is possible that an attacker could have compromised the underlying host in addition to exfiltrating sensitive information.
According to the disclosure, Codecov sent email notifications to affected users on April 15, 2021 using the email address on file from Github, Gitlab, or Bitbucket. Affected users should immediately change or rotate all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s bash uploaders.
Codecov users can determine the keys and tokens that are used across their CI environments by running the env command in their CI ..