Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Attackers Compromised Code-Checking Vendor's Tool for Two Months

A script used to upload sensitive reports-with access to credentials and datastores-likely sent information on hundreds, possibly thousands, of companies to attackers.

In a software supply-chain attack reminiscent of the SolarWinds compromise, unknown attackers used a vulnerable tool published by code checking firm Codecov for a little over two months to collect sensitive development information from the company's clients.

Codecov, which provides tools and services to check how well software tests are covering code under development, in a statement published on Friday warned that attackers had modified a command-line upload tools to also send sensitive information to the attackers. At-risk data includes credentials, software tokens, and keys—and the data and code that could be accessed with those secrets—as well as the remote repository information.

Related Content:

Attackers Turn Struggling Software Projects Into Trojan Horses

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

The firm recommended that clients use a script to create a list of credentials that could be accessed by its software and consider those credentials and secrets compromised.

"If anything returned from that command is considered private or sensitive we strongly recommend invalidating the credential and generating a new one," Jerrod Engelberg, CEO of Codecov, said in a statement. "Additionally, we would recommend that you audit the use of these tokens in your system."

Codecov first became aware of the breach on April 1, after a customer reported a discrepancy in the check sum used to verify the integrity and authenticity of the tool. The company began investigating and has brought in federal law enforcement, Codecov said in its statement. The attackers likely had access to the system since the end of January, according to the company's investigation. While CodeCov did not specify how many clients were affected by the breach, its website states that more than 29,000 enterprises use its service.

A breach at a software supplier that could have impacted thousands of client firms puts the attack squarely on the level of the SolarWinds compromise, says Asaf Karas, co-founder and chief technology officer for Vdoo, an Internet-of-Things security platform.

"The Codecov system breach is yet another example that highlights the need to verify and scan any third-party software artifacts introduced to enterprise networks or applications, especially as part of the build chain," he says. "Shell scripts, in particular, aren't being given enough attention and coverage from a security tooling perspective, making them more exploitable and useful for adversaries."

The breach occurred when the attacker exploited a vulnerability in the process Codecov used to create Docker images for its own development. The attacker extracted the credential needed to modify a command-line tool, Bash Uploader, that client used to send reports to the company. The tool, instead, sent reports to a server at a third-party site.

Software supply chains have become a significant target of attackers. Increasingly, attackers have attempted to compromise open-source components and projects, using techniques such as dependency typosquatting or just buying a project outright. In addition, attackers have compromised the update mechanism for widely-used software as a way to deliver malware to customers, a technique used to spread NotPetya, infect users of Piriform's CCleaner, and compromise thousands of enterprises who use SolarWinds' Orion.

Bash Uploader Weaponized

In Codecov's case, the attackers turned the company's Bash Uploader—normally used to send software scanning reports to the company—into a Trojan horse, which also sent information on the victim's software environment, including the credentials needed to access parts of that environment.

As of the evening of April 15, the company had reached out affected customers but stressed that its investigation is ongoing. 

"We are still actively assessing the impact of this event on our customers," the company said, adding, "Out of an abundance of caution, if you used the Bash Uploaders between January 31, 2021 and April 1, 2021 and did not conduct a checksum validation of the Bash Uploader, we would suggest you re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process."

Codecov replaced the malicious script as of April 1 and has taken a number of steps to defend its software and network, including regenerating all internal credentials and software keys and auditing where and how the leaked key was used, the company said. The firm has also begun monitoring the Bash Uploader program to make sure that the same type of attack does not happen in the future, CEO Engelberg said in his statement.

Codecov declined to provide a comment to Dark Reading, beyond its public statement. The company has not attributed the attack to any group or nation-state.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.