Skip to main content
close search
site logo
Dive Brief

Codecov hack — likened to SolarWinds — targets software supply chain

Published April 23, 2021 Updated April 30, 2021
David Jones's headshot
Reporter
Closeup side view of group of mid 20's mobile application developers testing the code and fixing the issues.
gilaxia via Getty Images

UPDATE: April 30, 2021: Codecov has contacted victims of a malicious supply chain attack originally disclosed in mid-April, posting indicators of compromise and known IP addresses used to modify its Bash Uploader script and transmit stolen customer data, the company said Thursday.  

Attackers accessed Bash Uploader 108 times between Jan. 31 and April 1 that the Bash Uploader was affected, Codecov said. Users who were part of the affected group were sent emails and a notification banner in the Codecov application Thursday evening. As part of the notification, Codecov disclosed additional details about which environment variables the threat actor obtained.

Dive Brief: 

  • Federal authorities are probing a security breach at Codecov, an open-source code testing provider, in what could be the next major supply chain attack to roil the IT-security industry, analysts warn. The attack began Jan. 31, but the breach was not discovered until April 1. 
  • Unidentified third parties gained access to and modified Codecov's Bash Uploader script, which allowed them to exfiltrate customer information stored in its continuous integration (CI) environments. Codecov declined to comment further on the breach, directing inquiries to a blog post published April 15.
  • More than 29,000 enterprise customers worldwide use Codecov's services. Security researchers are comparing the impact of the breach to the nation-state attack against SolarWinds, which disrupted the international IT supply chain. 

Dive Insight:

Codecov warned that modifications to the Bash Uploader script could potentially affect any credentials, tokens or keys that customers were passing through the CI runner. Services, datastores and application code that was linked to these credentials could also be at risk, according to Codecov. 

The company said it hired an outside forensics company to investigate. Codecov says it is fully cooperating with law enforcement after reporting the incident to authorities. 

"The Codecov incident is typical of an increasingly concerning attack form that was used in incidents like SolarWinds — targeting internal development infrastructure to poison software and use the supply chain effect to pass the issue downstream," Ilkka Turunen, Field CTO at Sonatype, said via email. 

The DevOps community feared such an attack for many years. Sonatype officials consider development infrastructure part of the security frontline. 

"It looks like a big supply chain issue, and like SolarWinds, the potential to use it as a launching pad for attacks against Codecov customers should be the foremost concern," said Sandy Carielli, principal analyst at Forrester Research. 

Codecov recommended its users roll credentials. "In this situation they should try to force it if they can," Carielli said. 

The breach also raises the specter of third-party risk and customers may want to consider reviewing all of their policies and controls regarding vendors, according to Carielli. 

CircleCI, a continuous integration and continuous delivery platform, confirmed that the Codecov breach impacted its integration with the code testing firm CircleCI Orb. 

"Yes the integration was impacted in that all of Codecov was affected," a spokesperson for CircleCI said. "The integration is a connection point between the two services that Codecov supplies and maintains."

Codecov customers were sent alerts instructing them to rotate their credentials and environment variables, the spokesperson said. Other Codecov customers were still working to assess the impact of the breach on their systems. 

"We are investigating the reported Codecov incident and so far have found no modifications of code involving clients or IBM," an IBM spokesperson said in an emailed statement. 

Software security platform Checkmarx said after a thorough investigation, it found no evidence that the company or its customers were affected, but did take some precautionary steps. 

“We have taken the appropriate steps to remove the integration from the limited instance where it was used, and will continue to monitor the situation closely,” according to an emailed statement. 

An FBI spokesperson would neither confirm nor deny the existence of a current investigation, citing Department of Justice policy. Officials at the Cybersecurity & Infrastructure Security Agency did not return a request for comment. 

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
Chemonics International Data Breach Investigation
From Migliaccio & Rathod LLP
December 04, 2024
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.