Codecov Bash Uploader Was Compromised for Three Months
Earlier this month, Codecov discovered that a threat actor modified their Bash Uploader script. The threat actor was able to obtain unauthorized access due to “an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify” the script. Codecov’s investigation found that the Bash Uploader script had been altered several times starting on January 31, 2021. The changes allowed the threat actor “to potentially export information stored in our users' continuous integration (CI) environments.”
If you had any keys, credentials or tokens in your CI environment, and you’re using the Codecov CI runner which includes their Bash Uploader, you need to consider them compromised and you need to start revoking/updating or creating new ones. Also make sure that digital signatures are verified when doing updates. Even if you’re running an internal deployment, make sure you’re running the known-good versions of the software.
Yet another software supply chain compromise. Just like similar compromises, we may see additional fallout from this as the attackers behind this were able to harvest some credentials used in CI/CD pipelines. If you are using Codecov, and were affected, make sure you update your credentials (and also look into methods to automatically rotate them from time to time).
Two important aspects to this item: (1) Attackers are increasingly focusing on the tools used by developers which are often built without emphasizing security and often go untested even when they are use in software development lifecycle that includes security testing of the end software product; (2) The Register piece quotes a survey of developers by the Open Source Software Security Foundation (the 2020 consolidation of the Open Source Security Coalition and the Core Infrastructure Initiative) that says developers of free and open source software spend less than 3% of their time on security and feel even that is too much. While the DevOps movement has shown promising trends in making security and privacy “guard rails” be considered intrinsic requirements, it has not resulted in developers magically becoming security experts or champions.
Read more in
Codecov: Bash Uploader Security Update
GovInfosecurity: Attack on Codecov Affects Customers