19 April 2021 at 13:25 UTC
Updated: 19 April 2021 at 13:29 UTC
Credential-slurping code lingered in Bash Uploader script for months
Codecov users have been warned to take immediate action after the discovery of a credential-stealing backdoor that was active for three months.
A statement from Codecov, which offers a range of software code testing products, confirmed that an unknown party gained access to its Bash Uploader script and made changes without permission.
These changes included the planting of malicious code that stole secret authentication tokens and other sensitive data and sent it to a remote site controlled by the hackers.
They gained access due to a vulnerability in Codecovâ€™s Docker image creation process that allowed the actor to extract the credential required to modify the script.
An investigation found that there were â€œperiodic, unauthorized alterationsâ€ of the script by a third party, which enabled them to potentially export information stored in usersâ€™ continuous integration (CI) environments.
This information was then sent to a third-party server outside of Codecovâ€™s infrastructure, according to the release:
â€œThe Bash Uploader is also used in these related uploaders: Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step (together, the â€کBash Uploadersâ€™). Therefore, these related uploaders were also impacted by this event,â€ it read.
The unauthorized access was found to have taken place on January 31. Upon discovering the issue on April 1, Codecov said it immediately remediated the script and began investigating any potential impact on users.
Codecov also warned that other the changes to Bash Uploader could also affect any credentials, tokens, or keys that customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
Also potentially impacted is any services, datastores, and application code that could be accessed with these credentials, tokens, or keys, along with the Git remote information of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
READ Feds zap Exchange Server backdoors as Microsoft offers patches for further flaws
Users have been advised to â€œimmediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecovâ€™s Bash Uploadersâ€.
More information about the specific alterations to the script can be found in Codecovâ€™s statement.
The issue has been reported to law enforcement and Codecov said it has emailed any users it believes could be affected.
YOU MAY ALSO LIKE Researchers trick Duo 2FA into sending authentication request to attacker-controlled device