Security News > 2021 > April > Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack
Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.
The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said in a note acknowledging the severity of the breach.
"On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov's Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script," Codecov said.
"Based upon the forensic investigation results to date, it appears that there was periodic, unauthorized access to a Google Cloud Storage key beginning January 31, 2021, which allowed a malicious third-party to alter a version of our bash uploader script to potentially export information subject to continuous integration to a third-party server. Codecov secured and remediated the script April 1, 2021.".
Codecov's Bash Uploader is also used in several uploaders - Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step - and the company says these uploaders were also impacted by the breach.
The git remote information of repositories using the Bash Uploaders to upload coverage to Codecov in CI. Codecov chief executive Jerrod Engelberg said the company has rotated all relevant internal credentials, including the key used to facilitate the modification of the Bash Uploader; and conducted audits to determine where and how the key was accessible.