The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets.
The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January this year and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.
The first company to publicly acknowledge exposure was HashiCorp, a company that markets open-source developer and security tools for cloud-computing infrastructure. HashiCorp said a post-breach investigation found a subset of its CI pipelines used the affected Codecov component.
Specifically, the GPG private key used for signing hashes used to validate HashiCorp product downloads was exposed. “While investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism,” the company said in a published security notice.
[ SEE: Codecov Tool Compromised in Supply Chain Hack ]
Following HashiCorp’s statement, San Francisco-based Twilio issued an advisory to confirm it used the compromised Bash Uploader component in a small number of projects and CI pipelines.
“Our subsequent investigation into the impact of this event found that a small number of email addresses had likely been exfiltrated by an unknown attacker as a result of this exposure. We have notified those impacted individuals privately and have remediated the additional potential exposure by thoroughly reviewing and rotating any potentially exposed credentials,” Twilio added.
“As soon as we became aware of the event, we identified any potentially exposed credentials or secrets and rotated them. This removed any ability the bad actor would have had to access our environment. Additionally, we investigated the scope of those credentials and validated, to the best of our ability, that there hadn’t been any abuses of them,” the company added.
Codecov has deleted a web page from its site that claimed more than 29,000 companies rely on its code coverage products. The customer page listed high profile companies like GoDaddy, Proctor & Gamble, Lululemon, RBC, Mozilla and Elastic.
On Twitter and on some public security forums, Mozilla community developers have discussed the rotation of developer secrets, confirming that the extent of the breach has not yet been properly assessed.
The Codecov hack was discovered in the wild by a Codecov customer on the morning of April 1, 2021 when the company said it learned that someone had gained unauthorized access to the Bash Uploader script and modified it without permission.
“The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” Codecov said, warning that the attacks began in late January and went undetected until a customer noticed a discrepancy between the shasum on Github and the shasum calculated from the downloaded Bash Uploader.
Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.”
Related: View Sessions on Demand From SecurityWeek’s 2021 (Virtual) Supply Chain Security Summit

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Sentra Raises $30 Million for DSPM Technology
- Saviynt Raises $205M; Founder Rejoins as CEO
- OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
- Tenable Launches $25 Million Early-Stage Venture Fund
- VMware Plugs Critical Code Execution Flaws
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
