Codecov Bash Uploader Compromise
What is Codecov Bash Uploader Compromise?
Codecov Bash Uploader CompromiseAn April 2021 supply-chain incident in which attackers modified the Codecov Bash Uploader script, exfiltrating CI/CD secrets from thousands of customers.
In April 2021, code-coverage company Codecov disclosed that, since January 2021, its Bash Uploader script had been silently modified by attackers who exploited an error in Codecov's Docker image creation process. The trojanized uploader sent environment variables, including tokens, keys and credentials, from customer CI/CD pipelines to attacker-controlled infrastructure. Codecov is used by thousands of organizations, including major SaaS, fintech and security vendors; downstream consequences included secrets rotation across HashiCorp, Twilio, Rapid7 and others, plus follow-on intrusions. The incident underscored the risk of trusting opaque CI scripts and prompted broader controls such as ephemeral build secrets and signed CI tooling.
● Examples
- 01
A startup discovers that AWS keys exposed in its CI build were exfiltrated and rotates every credential touched by Codecov.
- 02
A vendor migrates from bash-piped uploaders to a vendored, version-pinned action after the disclosure.
● Frequently asked questions
What is Codecov Bash Uploader Compromise?
An April 2021 supply-chain incident in which attackers modified the Codecov Bash Uploader script, exfiltrating CI/CD secrets from thousands of customers. It belongs to the Vulnerabilities category of cybersecurity.
What does Codecov Bash Uploader Compromise mean?
An April 2021 supply-chain incident in which attackers modified the Codecov Bash Uploader script, exfiltrating CI/CD secrets from thousands of customers.
How does Codecov Bash Uploader Compromise work?
In April 2021, code-coverage company Codecov disclosed that, since January 2021, its Bash Uploader script had been silently modified by attackers who exploited an error in Codecov's Docker image creation process. The trojanized uploader sent environment variables, including tokens, keys and credentials, from customer CI/CD pipelines to attacker-controlled infrastructure. Codecov is used by thousands of organizations, including major SaaS, fintech and security vendors; downstream consequences included secrets rotation across HashiCorp, Twilio, Rapid7 and others, plus follow-on intrusions. The incident underscored the risk of trusting opaque CI scripts and prompted broader controls such as ephemeral build secrets and signed CI tooling.
How do you defend against Codecov Bash Uploader Compromise?
Defences for Codecov Bash Uploader Compromise typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Codecov Bash Uploader Compromise?
Common alternative names include: Codecov supply chain attack.
● Related terms
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- appsec№ 166
CI/CD Security
The set of controls protecting continuous integration and continuous delivery pipelines from compromise, code injection, secret leakage, and unauthorized deployments.