Code analysis company Codecov claims to have over 30,000 enterprise customers, including Atlassian, Google, Node.js, Mozilla and many more. Now it's been hacked after leaking credentials that let an attacker quietly modify its Bash Uploader script, in the latest troubling software supply chain attack.
The attacker had access to Codecov's systems for at least two months undetected.
They used this to change code in Bash Uploader -- which lets users detect their code environment, gather reports, and upload them to Codecov. As a result, the hacker was able to send sensitive data about Codecov customers' code environments to a "third-party server outside of Codecov’s infrastructure."
Codecov's tools are used by companies to measure and track code coverage, identify unused code, maintain existing code and check code security, e.g. prior to application modernisation or migration efforts.
Follow The Stack on LinkedIn
The company has yet to release IOCs for the incident, saying the "IP address of the third party server has been redacted as it is currently part of an ongoing federal investigation" -- a decision that has deeply frustrated security professionals, who say the investigation is no justification for blocking such details.
The breach was first reported to the company by a customer on April 1.
Codecov acknowledged it publicly in an April 15 blog, saying: "Beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users' continuous integration (CI) environments."
The affected code is also used in Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step which were "also impacted by this event."
Codecove said the malicious alterations could affect: "Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed; any services, datastores, and application code that could be accessed with these credentials, tokens, or keys; the git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI."
Few details about the incident have emerged but it drew immediate comparisons with the devastating SolarWinds breach, which resulted in scores of federal agencies and blue chip companies being compromised by alleged Russian hackers.
Codecov said it is rotating all internal credentials, including the key used to facilitate the modification of the Bash Uploader (stable door/horse:bolted); auditing where and how the key was accessible; and setting up monitoring and auditing tools to "ensure that this kind of unintended change cannot occur to the Bash Uploader again."
The incident is understood to have been identified after an unnamed customer "saw a discrepancy between the shasum on Github and the shasum calculated from the downloaded Bash Uploader" which they reported to Codecov.