Another software giant has disclosed a security breach that potentially bears a long-term devastating impact. This time, the software firm Codecov has emerged as the victim of a supply-chain attack. Following Codecov’s disclosure, hundreds of customers appeared as potential victims of the breach.
Codecov Suffered Supply-Chain Attack
Reportedly, the US-based software testing and DevOps tools provider Codecov has disclosed a breach following a supply-chain attack.
As Codecov disclosed via its security update, the service noticed a security breach on its network on April 1, 2021.
Investigating the matter revealed that some unidentified attackers gained access to the Bash Uploader script and modified it. This supposedly happened after January 31, 2021. As stated in their notice,
Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.
Codecov identified a vulnerability in Codecov’s Docker image creation process as the main cause behind this breach. Exploiting this bug allowed the attackers to steal the credentials required to modify the Bash Uploader script.
Since the script was related to three other uploaders, Codecov confirmed the Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step to have suffered an impact as well.
The Aftermath Resembles SolarWinds Incident
Upon detecting the breach, Codecov quickly remedied the matter and issued the following mitigation for the users.
We strongly recommend affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.
However, it later turned out that the breach had already affected hundreds of networks – something that reminds us of SolarWinds supply-chain attack.
According to Reuters, one of the customers affected by the breach include IBM as well. Codecov has a huge customer base of 29,000 customers that includes many prominent names such as HP, Atlassian, GoDaddy, Procter & Gamble, The Washington Post, and more.
While some of the firms that have investigated the matter confirmed no code modifications due to the breach. Yet, the probabilities of credentials theft are there.
Codecov has notified the affected customers. Whereas, the FBI is also investigating the matter.