Read the full story
Fresh off the back of the SolarWinds compromise comes another supply chain attack. This time the target was Codecov, a firm which provides tools and services to check how well software tests are covering code under development in continuous integration (CI) workflows.
Developers discovered a backdoor in the Codecov Bash Uploader tool, which is used by many organisations and open-source projects as part of their testing processes.
Codecov said the breach allowed the attackers to export all the data stored in its users’ CI environments by modifying a command-line upload tool. Of deep concern is the extent of the compromised data, which included user credentials, software tokens, and keys, including the data that could be accessed with those keys, as well as the remote repository information.
This compromised data was then sent to a third-party server outside of Codecov’s infrastructure.
It is believed the backdoors may have been there for up to four months, with the company reporting periodic, unauthorised access to its Google Cloud Storage (GCS) key beginning January 31, 2021.
Codecov strongly recommends affected users immediately re-roll all credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.
For any of the 29,000 organisations that use Codecov, it is advised to start scanning logs for unusual activity from the end of January to the beginning of April.