Developers shut down Bash Uploader project after attack on Codecov supply chain

In April 2021, unknown hackers attacked the supply chain of the online software testing platform Codecov and added a credential collector to one of the tools. The compromise affected the Bash Uploader product, which allows Codecov customers to submit code coverage reports for analysis.

The entry point for the attacker was a mistake made by the developers during the creation of the Docker Codecov image, which allowed the attacker to extract the credentials needed to make changes to the Bash Uploader script.

To make matters worse, Codecov is used by more than 29,000 customers, including well-known companies such as GoDaddy, Atlassian, The Washington Post, and Procter & Gamble (P&G). According to the US federal authorities, which immediately began investigating the incident, attackers used stolen customer credentials to access hundreds of networks.

It is known that Rapid7 suffered from this attack on the supply chain, as its representatives reported that attackers gained access to the source code of the company. Also, software developers from the Hashicorp company, the Confluent cloud provider, the Twilio voice call service and many others reported about the compromise.

As the Codecov developers now write, they are scrapping the development of the Bash Uploader, and it will be replaced by a new tool written in NodeJS. The new bootloader is already available in beta as a static executable binary that currently supports Windows, Linux, Alpine Linux and macOS systems.

Starting November 1, 2021, the company will be performing “random unplanned outages” of the Bash Uploader, intentionally making it unavailable, and phasing it out entirely by February 2022.

Bleeping Computer notes that the company’s blog states that the compiled binary of the new bootloader “makes it harder for an intermediary to modify the code” and provides increased security compared to the Bash Uploader.