Codecov was breached at the end of January. Since then, a large number of its clients have identified and revealed that their data has been exposed due to the supply chain attack. Recently, Mercari, the Japanese e-commerce company, revealed that it suffered a major data breach.

What happened?

In January, unknown hackers had tampered with the source code of Codecov’s Bash Uploader, injecting it with a credential harvesting script. Organizations that were affected due to the attack include several global IT giants, including cybersecurity agencies.
  • Mercari has confirmed that thousands of customer records, including financial information, were exposed to outsiders.
  • A few days ago,, the online workflow management platform, revealed that external actors had gained access to its source code.
  • Cybersecurity company Rapid7 revealed that an unauthorized actor had accessed a small subset of source code repositories, customer credentials, and other data due to the breach.

Other recent disclosures

Codecov platform, which hosts code testing reports and statistics for more than 29,000 enterprises, had started notifying its customers about the breach at the end of April. 
  • Earlier this month, Twilio, the U.S.-based cloud communications company, revealed that Codecov’s tampered Bash Uploader was used in several of its projects and CI pipelines.
  • The open-source company HashiCorp disclosed that a small subset of its CI pipelines used the affected Codecov component.

A breach with global impact

Codecov’s supply chain attack is considered one of the major supply chain attacks this year, which has forced the U.S. and the U.K to drive new cybersecurity policies, including the release of a new U.S. Presidential Executive Order on cybersecurity.


With the ever-growing list of affected victims, users of Codecov are suggested to perform a thorough scan of their CI-CD pipelines and change their secret keys and passwords. In addition, implementing an effective strategy, such as a Zero Trust Architecture, can help disrupt the common attack trajectory of a supply chain attack.

Cyware Publisher