Codecov breach impacted ‘hundreds’ of customer networks: report

Updated: Reports suggest the initial hack may have led to a more extensive supply chain attack.
Written by Charlie Osborne, Contributing Writer

DevOps tool provider Codecov's security breach has impacted "hundreds" of clients according to new information surrounding the incident. 

US investigators examining the case told Reuters on Tuesday that the attackers responsible for the hack managed to exploit not only Codecov software, but also potentially used the organization as a springboard to compromise a huge number of customer networks.

Based in San Francisco, Codecov offers code coverage and software testing tools. The aim is to allow users to deploy "healthier" code during the DevOps cycle, but on or around January 31, 2021, an unknown attacker was able to exploit an error in Codecov's Docker image creation process to tamper with the Codecov Bash Uploader script. 

This has led to the potential export of information stored in users' continuous integration (CI) environments. 

Speaking on condition of anonymity to the news agency, one of the investigators said attackers used automation to collect credentials as well as "raid additional resources," which may have included data hosted on the networks of other software development program vendors, including IBM. 

An IBM spokesperson told Reuters that, as of now, there does not seem to be any "modifications of code involving clients" or the company itself. 

Codecov accounts for over 29,000 overall enterprise clients. The organization also works extensively with the open source community and startups. 

The initial compromise and backdoor in the Bash Uploader script were discovered on April 1, impacting Codecov's full set of "Bash Uploaders" including the Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step. 

It is possible that the supply chain attack, made possible by compromising a resource used by other organizations, may have resulted in the theft of credentials, tokens, and keys running through client CIs, as well as "services, datastores, and application code that could be accessed with these credentials," according to Codecov. 

In addition, URLs of origin repositories using the Bash Uploaders may have been exposed. 

Codecov said the issue has since been fixed and impacted customers were notified via email addresses on file on April 15. It is recommended that users roll their credentials if they have not already done so. 

Codecov is also rotating internal credentials and has pulled in a third-party cyberforensics firm to conduct an audit. A new monitoring system is also being created to pretend such "unintended changes" from happening in the future. 

"Codecov maintains a variety of information security policies, procedures, practices, and controls," commented Jerrod Engelberg, Codecov CEO. "We continually monitor our network and systems for unusual activity, but Codecov, like any other company, is not immune to this type of event."

Due to the potential ramifications of this attack, the FBI is also involved. The ongoing federal investigation has led to suggestions the Codecov situation could be likened to SolarWinds, in which the software vendor's network was compromised in order to deploy a malicious software update to clients in a separate supply chain attack. 

Last week, the FBI, NSA, CISA, and UK government formally blamed cyberattackers working for Russian intelligence for the SolarWinds incident.

Update 14.43 BST: Codecov declined to comment further and referred us to the company's previous statement

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards