Will the CodeCov breach become the next big software supply chain hack?

Sweetgreen is one of a number of high-profile customers listed on the website of Codecov, which suffered a breach that some believe could have widespread implications. (“sweetgreen – Ballston, Arlington” by Tony Webster is licensed under CC BY 2.0)

It’s always good to have your radar up on April Fool’s Day, constantly on the lookout for potential pranks or tomfoolery. For one company, what they discovered on April 1 was far from a joke.

Yesterday, software company Codecov, which sells a tool that lets developers measure the testing coverage of their codebase, disclosed that it suffered a breach. In particular, the attackers exploited a bug in the company’s Docker image creation process to gain access to a Bash Uploader script designed to map out development environments and report back to the company. This small modification quietly called out for user credentials that could have been used to access and exfiltrate data from their users’ continuous integration environment.

In a note posted on the Codecov website, CEO Jerrod Engelberg said that any credentials, authentication tokens or keys that were run through an affected customer’s CI process were exposed, and with them the attacker would have had access to any corresponding services, datastores, application code and git repositories that could be accessed by those credentials.

After discovering the breach on April 1, a follow up investigation determined that the threat actor had been in their network since at least January 31, going undetected for months. The vulnerability also affected three other bash uploaders: Codecov CircleCI Orb, Codecov-actions uploader for GitHub and the Codecov Bitrise Step.

“We strongly recommend affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders,” Engelberg advised.

Codecov did not disclose how many of its clients were impacted, only saying they had notified all affected parties in writing. The known details of the intrusion, the nature of the company’s work and its customer base has given rise to concerns that the…