Potential clients of the Codecov platform, which is used for testing code, could include:
Platform CEO Jerrod Engelberg in hisThe appeal explained that the attacker gained unauthorized access to the company's Bash Uploader script and modified it, which allowed him to potentially gain access to any credentials, tokens or keys stored in the client's continuous integration environments, as well as to any services and data stores. The resulting data was then sent to a third-party server outside of Codecov.
The company's Bash Uploader is also used in three related uploaders: the Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step. They all suffered too.
“The hacker gained access due to an error in the processcreating a Docker Codecov image that allowed him to extract the credentials needed to modify our Bash Uploader script, ”Engelberg said. "Immediately after it became known about the issue, Codecov secured and fixed the vulnerable script and began investigating any potential impact on users."
After investigating the incident, the companyhas determined that the attacker has periodically made changes to the Bash Uploader script since January 31 of this year. Codecov became aware of the hack on April 1 when a client discovered and reported an inconsistency in the Bash Uploader.
“We strongly recommend that those affectedusers will immediately reuse all their credentials, tokens or keys located in environment variables in their CI processes that were using one of Codecov's Bash Uploaders, ”concluded Engelberg.
See also:
- Created the first accurate map of the world. What's wrong with everyone else?
- Scientists have decoded strange signals from space
- Uranus has received the status of the strangest planet in the solar system. Why?