codecov
Codecov Bash Uploader compromised via CI/CD
Attackers modified Codecov's Bash Uploader after gaining access to a private GCP key through a flawed Docker image creation process. The one-line change exfiltrated environment variables from customer CI/CD jobs, pulling credentials, tokens, and keys from build systems. Its impact came from position; one trusted coverage script quietly crossed many private software pipelines.
- Date
- 2021-01-31 to 2021-04-01
- Category
- Commercial
- Target Surface
- Build/CI
- Insertion Phase
- CI/CD
- Impact
- Credential theft
- Cause
- Stolen credentials
What Was Affected
Package
codecov
LanguageShell
ComponentApplication
Artifact typesource code
Domain typeproject download host
Domain
codecov.io
Repository
github.com/codecov/codecov-bash
Incident Context
- Motive
- Espionage
- Transitive
- Yes
- Observed Duration
- 60 days
Evidence
Compromised Artifacts
- codecov.io/bash
- raw.githubusercontent.com/codecov/codecov-bash/master/codecov
- codecov.s3.amazonaws.com/bash/codecov
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:6730a44f191168573710105178477116f718333b6de1f008ff811066c424bb59
Commits
External References
Source Data
Source record: proprietary/codecov/meta.yaml