Twilio, HashiCorp Among Codecov Supply Chain Hack Victims

The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets.

The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January this year and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.

The first company to publicly acknowledge exposure was HashiCorp, a company that markets open-source developer and security tools for cloud-computing infrastructure. HashiCorp said a post-breach investigation found a subset of its CI pipelines used the affected Codecov component.

Specifically, the GPG private key used for signing hashes used to validate HashiCorp product downloads was exposed.  “While investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism,” the company said in a published security notice.

[ SEE: Codecov Tool Compromised in Supply Chain Hack ]

Following HashiCorp’s statement, San Francisco-based Twilio issued an advisory to confirm it used the compromised Bash Uploader component in a small number of projects and CI pipelines.

“Our subsequent investigation into the impact of this event found that a small number of email addresses had likely been exfiltrated by an unknown attacker as a result of this exposure. We have notified those impacted individuals privately and have remediated the additional potential exposure by thoroughly reviewing and rotating any potentially exposed credentials,” Twilio added.

“As soon as we became aware of the event, we identified any potentially exposed credentials or secrets and rotated them. This removed any ability the bad actor would have had to access our environment. Additionally, we investigated the scope of those credentials and validated, to the best of our ability, that there hadn’t been any abuses of them,” the company added.

Codecov has deleted a web page from its site that claimed more than 29,000 companies rely on its code coverage products.  The customer page listed high profile companies like GoDaddy, Proctor & Gamble, Lululemon, RBC, Mozilla and Elastic.

On Twitter and on some public security forums, Mozilla community developers have discussed the rotation of developer secrets, confirming that the extent of the breach has not yet been properly assessed.

The Codecov hack was discovered in the wild by a Codecov customer on the morning of April 1, 2021 when the company said it learned that someone had gained unauthorized access to the Bash Uploader script and modified it without permission. 

“The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” Codecov said, warning that the attacks began in late January and went undetected until a customer noticed a discrepancy between the shasum on Github and the shasum calculated from the downloaded Bash Uploader.

Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.”

Related: View Sessions on Demand From SecurityWeek’s 2021 (Virtual) Supply Chain Security Summit