Codecov Bash Uploader leaked CI secrets

Codecov was a CI/CD supply-chain compromise with a small code change and a large trust boundary. Attackers obtained a Google Cloud Storage key exposed through Codecov's Docker image creation process. With that key, they periodically altered the hosted Bash Uploader beginning January 31, 2021.

The delivery path was ordinary build automation. Customers invoked https://codecov.io/bash, the raw GitHub uploader, or the S3-hosted script from CI jobs to publish coverage reports. The compromised uploader added a curl-based exfiltration line that sent Git remotes and environment variables to attacker infrastructure.

The payload did not need to run on developer laptops. It ran where secrets were dense: CI workers. Environment variables could include cloud credentials, deploy keys, package tokens, GitHub tokens, signing material, and service credentials. BleepingComputer reported Reuters-sourced claims that hundreds of customer networks were breached, while Codecov's customer base exceeded 29,000 organizations.

A customer noticed a checksum mismatch on April 1, 2021, ending a two-month detection gap. Codecov disclosed the incident on April 15 and urged customers to rotate credentials and audit CI systems. The hard lesson was simple: fetching a mutable shell script at build time converts a coverage upload helper into a privileged remote code path.

Motive

Espionage

Cause

Stolen Credentials

Transitive

Yes

• BleepingComputer reported Reuters-sourced claims that hundreds of customer networks were breached, and noted Codecov had more than 29,000 customers. This record does not encode those figures as exact victim counts.

• Codecov Security Updateabout.codecov.io
• Post-Mortem / Root Cause Analysis - April 2021about.codecov.io
• Hundreds of networks reportedly hacked in Codecov supply-chain attackbleepingcomputer.com
• Codecov Bash Uploader compromised samplegist.github.com