A new supply chain attack made the headlines, the software company Codecov recently disclosed a major security breach after a threat actor compromised its infrastructure to inject a credentials harvester code to one of its tools named Bash Uploader.
Code coverage is one of the major metrics companies, it provides code testing solutions to a broad range of organizations, including Atlassian, P&G, GoDaddy, and the Washington Post.
The security breach took place on January 31, but it was discovered on April 1st by one of its customers.
“On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.” reads the security update provided by the software company.
Once discovered the breach, Codecov immediately secured its infrastructure and began investigating the incident with the support of a third-party forensic firm. The company also reported the incident to law enforcement.
The investigation revealed that the threat actor gained periodic access to the Bash Uploader script making changes to add malicious code. The malicious code would allow the attacker to intercept uploads and scan and collect any sensitive information, including credentials, tokens, or keys.
The security breach also impacted many other products of the company using the Bash Uploader script, including Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step.
According to the company, the tainted version of the Bash Uploader script could potentially affect:
The company recommends affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.
Below a list of countermeasures adopted by the company to address this situation:
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, WhatsApp)