Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months

2021-04-19 16:03

Codecov, makers of a code coverage tool used by over 29,000 customers, has warned that a compromised script may have stolen credentials over a period of two months, before it was discovered a few weeks ago.

Codecov is a cloud-based tool which integrates with GitHub, GitLab, Atlassian Bitbucket, or any Git-based repository.

Developers run tests using their own CI tool and then upload the results to Codecov using a tool called Bash Uploader.

The issue was discovered not by Codecov itself, but by a customer who noticed that the downloaded script failed to validate against the cryptographic checksum that verifies it has not been tampered.

What did the compromised script have access to? According to Codecov, it specifically targeted environment variables, commonly used to store tokens or keys to make them available to test and debug code without hard-coding them.

Codecov has promised a full investigation including auditing how the stolen credentials which enabled the incident were accessible, and setting up further monitoring tools to prevent a re-occurrence.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/19/codecov_warns_of_stolen_credentials/

#credential