Security News > 2021 > April > Popular Codecov code coverage tool hacked to steal dev credentials
Codecov online platform for hosted code testing reports and statistics announced on Thursday that a threat actor had modified its Bash Uploader script, exposing sensitive information in customers' continuous integration environment.
Codecov provides tools that help developers measure how much of the source code executes during testing, a process known as code coverage, which indicates the potential for undetected bugs being present in the code.
As the name suggests, Bash Uploader is the tool that Codecov customers use to send code coverage reports to the platform.
The git remote information of repositories using the Bash Uploaders to upload coverage to Codecov in CI. Because of this potential risk, affected users are strongly recommended to re-roll all credentials, tokens, or keys present in the environment variables in the CI processes that relied on Bash Uploader.
Codecov learned of the compromise from a customer who noticed that the hash value for the Bash Uploader script on GitHub did not match the one for the downloaded file.
"Based upon the forensic investigation results to date, it appears that there was periodic, unauthorized access to a Google Cloud Storage key beginning January 31, 2021, which allowed a malicious third-party to alter a version of our bash uploader script to potentially export information subject to continuous integration to a third-party server. Codecov secured and remediated the script April 1, 2021" - Codecov.