Credential-slurping code lingered in Bash Uploader script for months


Codecov users have been warned to take immediate action after the discovery of a credential-stealing backdoor that was active for three months.

A statement from Codecov, which offers a range of software code testing products, confirmed that an unknown party gained access to its Bash Uploader script and made changes without permission.

These changes included the planting of malicious code that stole secret authentication tokens and other sensitive data and sent it to a remote site controlled by the hackers.

Gaining access

They gained access due to a vulnerability in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify the script.

An investigation found that there were “periodic, unauthorized alterations” of the script by a third party, which enabled them to potentially export information stored in users’ continuous integration (CI) environments.

This information was then sent to a third-party server outside of Codecov’s infrastructure, according to the release:

“The Bash Uploader is also used in these related uploaders: Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step (together, the ‘Bash Uploaders’). Therefore, these related uploaders were also impacted by this event,” it read.

Attack surface

The unauthorized access was found to have taken place on January 31. Upon discovering the issue on April 1, Codecov said it immediately remediated the script and began investigating any potential impact on users.

Codecov also warned that other the changes to Bash Uploader could also affect any credentials, tokens, or keys that customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.

Also potentially impacted is any services, datastores, and application code that could be accessed with these credentials, tokens, or keys, along with the Git remote information of repositories using the Bash Uploaders to upload coverage to Codecov in CI.


READ Feds zap Exchange Server backdoors as Microsoft offers patches for further flaws


Users have been advised to “immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders”.

More information about the specific alterations to the script can be found in Codecov’s statement.

The issue has been reported to law enforcement and Codecov said it has emailed any users it believes could be affected.


YOU MAY ALSO LIKE Researchers trick Duo 2FA into sending authentication request to attacker-controlled device