Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack

Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach.

Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach.

CodeCov, a little-known startup considered the vendor of choice for measuring code coverage in the tech industry, has shipped an entirely new Uploader using NodeJS to replace the Bash Uploader dev tool that was compromised in a recent software supply chain attack.

“We initiated this project because, as usage of Codecov has grown and our development velocity has increased, the Bash Uploader has become increasingly complex to properly maintain,” CodeCov said.

The company said that Bash Uploader, over time, added many “magic features” that were difficult to reason through and support against an ever-increasing number of use cases and warned that the distribution mechanism of choice [curl pipe to bash] “is notoriously problematic from a security perspective.”

[ SEE: CodeCov Discloses Ominous Software Supply Chain Hack ]

CodeCov said the weaknesses of that distribution mechanism was the cause of the incident, which claimed a range of victims including HashiCorp, Mozilla, Twilio, and Rapid7.

“To combat this incident from a product perspective we initially provided better documentation on how to verify the Codecov Bash Uploader until our new Uploader was complete, but our ultimate long-term goal has always been to replace the Bash Uploader altogether, ” the company said in a blog post.

CodeCov said the new Uploader using NodeJS is shipped as a static binary executable on the Windows, Linux, Alpine Linux, and macOS operating systems.

Advertisement. Scroll to continue reading.

“We will be deprecating all other language-specific uploaders,” the company added.

The CodeCov supply chain hack occurred in January 2021 but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021.

Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.

In the weeks and months following the CodeCov disclosure of the incident, CodeCov customers Twilio and HashiCorp confirmed data was either exposed or hijacked. Separately, enterprise security vendor Rapid7 says an unauthorized third-party accessed source code and customer data during the Codecov supply chain breach.

Related: Twilio, HashiCorp Among CodeCov Supply Chain Victims

Related: Rapid7 Source Code Exposed in Codecov Supply Chain Attack

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.