Connect with us

Hi, what are you looking for?


Application Security

CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack

Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach.

Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach.

CodeCov, a little-known startup considered the vendor of choice for measuring code coverage in the tech industry, has shipped an entirely new Uploader using NodeJS to replace the Bash Uploader dev tool that was compromised in a recent software supply chain attack.

“We initiated this project because, as usage of Codecov has grown and our development velocity has increased, the Bash Uploader has become increasingly complex to properly maintain,” CodeCov said.

The company said that Bash Uploader, over time, added many “magic features” that were difficult to reason through and support against an ever-increasing number of use cases and warned that the distribution mechanism of choice [curl pipe to bash] “is notoriously problematic from a security perspective.”

[ SEE: CodeCov Discloses Ominous Software Supply Chain Hack ]

CodeCov said the weaknesses of that distribution mechanism was the cause of the incident, which claimed a range of victims including HashiCorp, Mozilla, Twilio, and Rapid7.

“To combat this incident from a product perspective we initially provided better documentation on how to verify the Codecov Bash Uploader until our new Uploader was complete, but our ultimate long-term goal has always been to replace the Bash Uploader altogether, ” the company said in a blog post.

Advertisement. Scroll to continue reading.

CodeCov said the new Uploader using NodeJS is shipped as a static binary executable on the Windows, Linux, Alpine Linux, and macOS operating systems.

“We will be deprecating all other language-specific uploaders,” the company added.

The CodeCov supply chain hack occurred in January 2021 but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021.

Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.

In the weeks and months following the CodeCov disclosure of the incident, CodeCov customers Twilio and HashiCorp confirmed data was either exposed or hijacked. Separately, enterprise security vendor Rapid7 says an unauthorized third-party accessed source code and customer data during the Codecov supply chain breach.

Related: Twilio, HashiCorp Among CodeCov Supply Chain Victims

Related: Rapid7 Source Code Exposed in Codecov Supply Chain Attack

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...