Codecov hack aftermath: hundreds breached, many more to follow

Photo by JJ Ying on Unsplash

On April 1st software testing firm, Codecov became aware of a security incident.

The company learned, that for over two months, Codecov’s Bash Uploader scripts used by hundreds or thousands of their customers had been altered with a malicious line of code that exfiltrated information in the environment variables present on the users’ CI/CD environments to an attacker’s IP address.

Bash Uploader exfiltrated environment variables to attacker’s IP address (BleepingComputer)

The flaw originated due to an error in the Docker image creation process, which, according to Codecov, “allowed the actor to extract the credential required to modify our Bash Uploader script.”

Codecov provides code coverage, testing, and stats to over 29,000 companies, and even has a handy GitHub app to integrate the tool right within your open-source software project.

As such, the security advisory released by Codecov strongly advised users to reset all of their credentials, tokens, or keys that were present in the environment variables in their CI processes that used Codecov uploaders.

Continue reading on Security Report for free.

The original post has been moved to Security Report due to multiple concerns about Medium expressed by many users [1, 2, 3].

--

--

--

Security Researcher | Tech Columnist | https://hey.ax

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CoinWind Weekly Report #24 (August 23rd — August 29th)

ARPA Co-authored “Privacy-Preserving Computation White Paper (2021)” Officially Released

Amanda calls whitelist users to quickly destroy "Five Fortunes NXT" and "The Year of the Ox NXT" in…

INTO THE CRIMINAL’S MIND

US Senator Faults FTC for Dropping Ball on Antivirus Data Harvesting

Cryptography and its implication in the past, in the present and in the future.

Understanding Public Key Cryptography with examples

webroot safe download

webroot safe download

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ax Sharma

Ax Sharma

Security Researcher | Tech Columnist | https://hey.ax

More from Medium

LoRaWAN® recognized as an International Standard — Parley Labs

How to Install Rasa NLU on Windows 11

Creating Cinematic Videos — Tips & Best Cinematic Video Makers

End-to-End Encryption Explained | Hyper Vigilance