Developers shut down Bash Uploader project after attack on Codecov supply chain

In April 2021, unknown hackers attacked the supply chain of the online software testing platform Codecov and added a credential collector to one of the tools. The compromise affected the Bash Uploader product, which allows Codecov customers to submit code coverage reports for analysis.

The hacker is known to have gained access to the Bash Uploader script back on January 31, 2021 and gradually made changes to it, adding malicious code that intercepted downloads, detected and collected any sensitive information, including credentials, tokens and keys.

The entry point for the attacker was a mistake made by the developers during the creation of the Docker Codecov image, which allowed the attacker to extract the credentials needed to make changes to the Bash Uploader script.

To make matters worse, Codecov is used by more than 29,000 customers, including well-known companies such as GoDaddy, Atlassian, The Washington Post, and Procter & Gamble (P&G). According to the US federal authorities, which immediately began investigating the incident, attackers used stolen customer credentials to access hundreds of networks.

It is known that Rapid7 suffered from this attack on the supply chain, as its representatives reported that attackers gained access to the source code of the company. Also, software developers from the Hashicorp company, the Confluent cloud provider, the Twilio voice call service and many others reported about the compromise.

As the Codecov developers now write, they are scrapping the development of the Bash Uploader, and it will be replaced by a new tool written in NodeJS. The new bootloader is already available in beta as a static executable binary that currently supports Windows, Linux, Alpine Linux and macOS systems.

For the past eight months, Codecov has been developing a new downloader that does not rely on the bash script we currently provide to our clients. We launched this project because as the use of Codecov grew and the development speed increased, the Bash Uploader became more difficult to maintain correctly. To deal with the aftermath of the incident at the product level, we immediately provided comprehensive documentation on how to verify the Codecov Bash Uploader until our new bootloader is complete. Therefore, our ultimate and long-term goal has always been a complete replacement of the Bash Uploader.the developers write.

Starting November 1, 2021, the company will be performing “random unplanned outages” of the Bash Uploader, intentionally making it unavailable, and phasing it out entirely by February 2022.

Bleeping Computer notes that the company’s blog states that the compiled binary of the new bootloader “makes it harder for an intermediary to modify the code” and provides increased security compared to the Bash Uploader.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button