H-ISAC TLP White Finished Intelligence Reports: Codecov Releases New Detections for Supply Chain Compromise

On April 30, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) posted an alert dubbed Codecov Releases New Detections for Supply Chain Compromise.

CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021. Upon discovering the compromise on April 1, 2021, Codecov immediately remediated the affected script. On April 15, 2021, Codecov notified customers of the compromise and on April 29, 2021, Codecov released an update containing new detections— including indicators of compromise (IOCs) and a non-exhaustive data set of likely compromised environment variables—to assist organizations in determining whether they have been affected.

Immediately upon becoming aware of the issue, Codecov secured and remediated the affected script and began investigating any potential impact on users. A third-party forensic firm has been engaged to assist in the analysis of the incident. In addition, Codecov has reported the matter to law enforcement and are fully cooperating with their investigation.

Codecov’s investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of their Bash Uploader script by a third party, which enabled them to potentially export information stored in users' continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.

The Bash Uploader is also used in several related uploaders, or “Bash Uploaders”, including Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecove Bitrise Step. Therefore, these related uploaders were also impacted by the incident.

View the entire report under Key Resources to learn more.