Security Experts:

CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack

Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach.

CodeCov, a little-known startup considered the vendor of choice for measuring code coverage in the tech industry, has shipped an entirely new Uploader using NodeJS to replace the Bash Uploader dev tool that was compromised in a recent software supply chain attack.

“We initiated this project because, as usage of Codecov has grown and our development velocity has increased, the Bash Uploader has become increasingly complex to properly maintain,” CodeCov said.

The company said that Bash Uploader, over time, added many “magic features” that were difficult to reason through and support against an ever-increasing number of use cases and warned that the distribution mechanism of choice [curl pipe to bash] “is notoriously problematic from a security perspective.”

[ SEE: CodeCov Discloses Ominous Software Supply Chain Hack ]

CodeCov said the weaknesses of that distribution mechanism was the cause of the incident, which claimed a range of victims including HashiCorp, Mozilla, Twilio, and Rapid7.

“To combat this incident from a product perspective we initially provided better documentation on how to verify the Codecov Bash Uploader until our new Uploader was complete, but our ultimate long-term goal has always been to replace the Bash Uploader altogether, '' the company said in a blog post.

CodeCov said the new Uploader using NodeJS is shipped as a static binary executable on the Windows, Linux, Alpine Linux, and macOS operating systems.

“We will be deprecating all other language-specific uploaders,” the company added.

The CodeCov supply chain hack occurred in January 2021 but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021.

Codecov said the breach allowed the attackers to export information stored in its users' continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.

In the weeks and months following the CodeCov disclosure of the incident, CodeCov customers Twilio and HashiCorp confirmed data was either exposed or hijacked. Separately, enterprise security vendor Rapid7 says an unauthorized third-party accessed source code and customer data during the Codecov supply chain breach.

Related: Twilio, HashiCorp Among CodeCov Supply Chain Victims

Related: Rapid7 Source Code Exposed in Codecov Supply Chain Attack

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.