On April 2021, Codecov was compromised by an unknown threat actor who abused their access to the company's cloud environment to conduct a supply chain attack. The threat actor gained initial access to Codecov's GCP environment by extracting an HMAC key for a service account from a public Docker image created by Codecov. The attacker then used this key to modify the version of Codecov Bash Uploader stored in Google Cloud Storage and available to download for end-users, inserting a malicious payload to be executed in customer environments. Codecov learned of the incident when one of their customers reported that the checksum value of the version of Bash Uploader they had downloaded (which had been tampered with by the attacker) was different than the known hash value published in Codecov's public code repository. Multiple Codecov customers are known to have been impacted by this supply chain attack, with the threat actor managing to exfiltrate data from their environments.
Type
Incident
Actors
Unknown
Pub. date
April 15, 2021
Initial access
Exposed secret
Impact
Supply chain attack
References
https://about.codecov.io/security-update/https://about.codecov.io/apr-2021-post-mortem/https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512https://www.twilio.com/blog/response-to-the-codecov-vulnerabilityhttps://web.archive.org/web/20210829164716/https://monday.com/blog/news/monday-coms-response-to-the-recent-codecov-vulnerability/https://about.mercari.com/en/press/news/articles/20210521_incident_report/https://www.rapid7.com/blog/post/2021/05/13/rapid7s-response-to-codecov-incident/
Status
Featured
Last edited
Jun 2, 2024 8:02 AM