Codecov Code Coverage Tool Hacked

Codecov announced that a threat actor had hacked its Bash Uploader script, therefore exposing sensitive information in customers’ continuous integration environment. The platform learned about the compromise on April 1st, but it seems that the first signs of the supply-chain attack occurred in January.

With a customer base of more than 29,000 enterprises, the list counting Atlassian, Washington Post, GoDaddy, Royal Bank of Canada, and Procter & Gamble, Codecov is an online platform for hosted code testing reports and statistics.

Codecov provides tools that help developers measure how much of the source code executes during testing, a process is known as code coverage, this being an indicator of the potential for undetected bugs being present in the code.

Bash Uploader is the tool that the customers use in order to send code coverage reports to the platform. It looks like the attackers focused on this specific data collection instrument starting with January 31st by changing the script to deliver the details from customers’ environment to a server outside Codecov’s infrastructure.

The vulnerability that was leveraged in order to gain access represented an error in the process of creating Codecov’s Docker image, thus allowing for the extraction of credentials that are protecting the modification of the Bash Uploader script.

Codecov believes that the threat actor could’ve used the malicious version to export sensitive data like credentials, tokens, keys, or services, datastores, and application code that could be accessed with these credentials, tokens, or keys, and also the git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

Heimdal Official Logo

Your perimeter network is vulnerable to sophisticated attacks.

Heimdal™ Threat Prevention
– Network

Is the next-generation network protection and response
solution that will keep your systems safe.

  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;

Codecov is recommending to its users to re-roll all credentials, tokens, or keys present in the environment variables in the CI processes that relied on Bash Uploader, in order to remain safe.

Codecov found out about the compromise from a customer who noticed that the hash value for the Bash Uploader script on GitHub did not match the one for the downloaded file, and immediately after learning of the compromise, the company took steps to mitigate the incident.

Based upon the forensic investigation results to date, it appears that there was periodic, unauthorized access to a Google Cloud Storage (GCS) key beginning January 31, 2021, which allowed a malicious third-party to alter a version of our bash uploader script to potentially export information subject to continuous integration (CI) to a third-party server. Codecov secured and remediated the script April 1, 2021.


Codecov declared that the incident happened despite the security policies, procedures, practices, and controls put in place, as well as the continuous monitoring of the network and systems for unusual activity.

Similar Posts