Security News > 2021 > May > Twilio, HashiCorp Among Codecov Supply Chain Hack Victims
The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets.
The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January this year and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.
HashiCorp said a post-breach investigation found a subset of its CI pipelines used the affected Codecov component.
Codecov has deleted a web page from its site that claimed more than 29,000 companies rely on its code coverage products.
The Codecov hack was discovered in the wild by a Codecov customer on the morning of April 1, 2021 when the company said it learned that someone had gained unauthorized access to the Bash Uploader script and modified it without permission.
"The actor gained access because of an error in Codecov's Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script," Codecov said, warning that the attacks began in late January and went undetected until a customer noticed a discrepancy between the shasum on Github and the shasum calculated from the downloaded Bash Uploader.