Connect with us

Hi, what are you looking for?


Application Security

Twilio, HashiCorp Among Codecov Supply Chain Hack Victims

The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets.

The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets.

The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January this year and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.

The first company to publicly acknowledge exposure was HashiCorp, a company that markets open-source developer and security tools for cloud-computing infrastructure. HashiCorp said a post-breach investigation found a subset of its CI pipelines used the affected Codecov component.

Specifically, the GPG private key used for signing hashes used to validate HashiCorp product downloads was exposed.  “While investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism,” the company said in a published security notice.

[ SEE: Codecov Tool Compromised in Supply Chain Hack ]

Following HashiCorp’s statement, San Francisco-based Twilio issued an advisory to confirm it used the compromised Bash Uploader component in a small number of projects and CI pipelines.

“Our subsequent investigation into the impact of this event found that a small number of email addresses had likely been exfiltrated by an unknown attacker as a result of this exposure. We have notified those impacted individuals privately and have remediated the additional potential exposure by thoroughly reviewing and rotating any potentially exposed credentials,” Twilio added.

“As soon as we became aware of the event, we identified any potentially exposed credentials or secrets and rotated them. This removed any ability the bad actor would have had to access our environment. Additionally, we investigated the scope of those credentials and validated, to the best of our ability, that there hadn’t been any abuses of them,” the company added.

Advertisement. Scroll to continue reading.

Codecov has deleted a web page from its site that claimed more than 29,000 companies rely on its code coverage products.  The customer page listed high profile companies like GoDaddy, Proctor & Gamble, Lululemon, RBC, Mozilla and Elastic.

On Twitter and on some public security forums, Mozilla community developers have discussed the rotation of developer secrets, confirming that the extent of the breach has not yet been properly assessed.

The Codecov hack was discovered in the wild by a Codecov customer on the morning of April 1, 2021 when the company said it learned that someone had gained unauthorized access to the Bash Uploader script and modified it without permission. 

“The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” Codecov said, warning that the attacks began in late January and went undetected until a customer noticed a discrepancy between the shasum on Github and the shasum calculated from the downloaded Bash Uploader.

Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.”

RelatedView Sessions on Demand From SecurityWeek’s 2021 (Virtual) Supply Chain Security Summit

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.