At a Glance
Days after hackers gained access to credentials, tokens, and keys stored in customers’ datastore at software company Codecov’s ‘Bash Uploader’ script, U.S. Federal investigators are probing the intrusion. The data accessed were sent to a third-party server outside Codecov.
Codecov’s Bash Uploader script is designed to map out development environments and report them back to the company.
However, the issue dates back to January 31 this year, when Codecov, in a statement this April, stated how hackers were tampering with its software that helps tech industries test code for mistakes. The tampering since January was, however, only detected on April 1, which turned out to be far more than a prank when a customer found something odd about the tool.
Codecov CEO Jerrod Engelberg said in a note posted on the company website that credentials, authentication tokens, or keys of a customer’s CI processes were exposed, granting the hacker access to any datastores or application code that could be accessed using hacked customer credentials. He also recommended the affected customers immediately re-roll all their credentials, tokens, or keys located in environment variables, which were used in Codecov’s Bash Uploaders.
However, Codecov has not disclosed its details on the number of customers affected and instead has just notified those affected in writing. Following the intrusion detection, experts have opined that the breach could be the first shoe to drop in a broader software supply chain, having messy repercussions.
Other experts in software development and security feel that the scope of the damage will depend on a variety of factors and the motivations behind the hackers. Considering the time the attackers had spent on Codecov’s network, the focus would have been on getting information on customers’ code than the company itself.
John Bambenek, the founder of cybersecurity consulting firm Bambenek Labs, praised Codecov for investigating and disclosing a trivial change in their code within just three months despite having limited resources. He drew comparisons between the Codecov breach and the SolarWinds breach, wherein the latter, larger code changes went unnoticed for at least a year.
There are 29000 customers for Codevod, including those such as GoDaddy Inc, The Washington Post, and the Atlassian Corporation PLC.