UPDATE: April 30, 2021: Codecov has contacted victims of a malicious supply chain attack originally disclosed in mid-April, posting indicators of compromise and known IP addresses used to modify its Bash Uploader script and transmit stolen customer data, the company said Thursday.
Attackers accessed Bash Uploader 108 times between Jan. 31 and April 1 that the Bash Uploader was affected, Codecov said. Users who were part of the affected group were sent emails and a notification banner in the Codecov application Thursday evening. As part of the notification, Codecov disclosed additional details about which environment variables the threat actor obtained.
- Federal authorities are probing a security breach at Codecov, an open-source code testing provider, in what could be the next major supply chain attack to roil the IT-security industry, analysts warn. The attack began Jan. 31, but the breach was not discovered until April 1.
- Unidentified third parties gained access to and modified Codecov's Bash Uploader script, which allowed them to exfiltrate customer information stored in its continuous integration (CI) environments. Codecov declined to comment further on the breach, directing inquiries to a blog post published April 15.
- More than 29,000 enterprise customers worldwide use Codecov's services. Security researchers are comparing the impact of the breach to the nation-state attack against SolarWinds, which disrupted the international IT supply chain.
Codecov warned that modifications to the Bash Uploader script could potentially affect any credentials, tokens or keys that customers were passing through the CI runner. Services, datastores and application code that was linked to these credentials could also be at risk, according to Codecov.
The company said it hired an outside forensics company to investigate. Codecov says it is fully cooperating with law enforcement after reporting the incident to authorities.
"The Codecov incident is typical of an increasingly concerning attack form that was used in incidents like SolarWinds — targeting internal development infrastructure to poison software and use the supply chain effect to pass the issue downstream," Ilkka Turunen, Field CTO at Sonatype, said via email.
The DevOps community feared such an attack for many years. Sonatype officials consider development infrastructure part of the security frontline.
"It looks like a big supply chain issue, and like SolarWinds, the potential to use it as a launching pad for attacks against Codecov customers should be the foremost concern," said Sandy Carielli, principal analyst at Forrester Research.
Codecov recommended its users roll credentials. "In this situation they should try to force it if they can," Carielli said.
The breach also raises the specter of third-party risk and customers may want to consider reviewing all of their policies and controls regarding vendors, according to Carielli.
CircleCI, a continuous integration and continuous delivery platform, confirmed that the Codecov breach impacted its integration with the code testing firm CircleCI Orb.
"Yes the integration was impacted in that all of Codecov was affected," a spokesperson for CircleCI said. "The integration is a connection point between the two services that Codecov supplies and maintains."
Codecov customers were sent alerts instructing them to rotate their credentials and environment variables, the spokesperson said. Other Codecov customers were still working to assess the impact of the breach on their systems.
"We are investigating the reported Codecov incident and so far have found no modifications of code involving clients or IBM," an IBM spokesperson said in an emailed statement.
Software security platform Checkmarx said after a thorough investigation, it found no evidence that the company or its customers were affected, but did take some precautionary steps.
“We have taken the appropriate steps to remove the integration from the limited instance where it was used, and will continue to monitor the situation closely,” according to an emailed statement.
An FBI spokesperson would neither confirm nor deny the existence of a current investigation, citing Department of Justice policy. Officials at the Cybersecurity & Infrastructure Security Agency did not return a request for comment.