Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Twilio, HashiCorp Among Codecov Supply Chain Hack Victims

The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets.

The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets.

The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January this year and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.

The first company to publicly acknowledge exposure was HashiCorp, a company that markets open-source developer and security tools for cloud-computing infrastructure. HashiCorp said a post-breach investigation found a subset of its CI pipelines used the affected Codecov component.

Specifically, the GPG private key used for signing hashes used to validate HashiCorp product downloads was exposed.  “While investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism,” the company said in a published security notice.

[ SEE: Codecov Tool Compromised in Supply Chain Hack ]

Following HashiCorp’s statement, San Francisco-based Twilio issued an advisory to confirm it used the compromised Bash Uploader component in a small number of projects and CI pipelines.

“Our subsequent investigation into the impact of this event found that a small number of email addresses had likely been exfiltrated by an unknown attacker as a result of this exposure. We have notified those impacted individuals privately and have remediated the additional potential exposure by thoroughly reviewing and rotating any potentially exposed credentials,” Twilio added.

“As soon as we became aware of the event, we identified any potentially exposed credentials or secrets and rotated them. This removed any ability the bad actor would have had to access our environment. Additionally, we investigated the scope of those credentials and validated, to the best of our ability, that there hadn’t been any abuses of them,” the company added.

Codecov has deleted a web page from its site that claimed more than 29,000 companies rely on its code coverage products.  The customer page listed high profile companies like GoDaddy, Proctor & Gamble, Lululemon, RBC, Mozilla and Elastic.

On Twitter and on some public security forums, Mozilla community developers have discussed the rotation of developer secrets, confirming that the extent of the breach has not yet been properly assessed.

The Codecov hack was discovered in the wild by a Codecov customer on the morning of April 1, 2021 when the company said it learned that someone had gained unauthorized access to the Bash Uploader script and modified it without permission. 

“The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” Codecov said, warning that the attacks began in late January and went undetected until a customer noticed a discrepancy between the shasum on Github and the shasum calculated from the downloaded Bash Uploader.

Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.”

RelatedView Sessions on Demand From SecurityWeek’s 2021 (Virtual) Supply Chain Security Summit

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...