Codecov Bash Uploader Compromise - 2021
Malicious modification of CI/CD upload script resulting in credential exposure
Incident Intelligence
FikreSekhel Research is tracking this campaign as a software supply chain compromise involving install-time execution paths.
Supply Chain Compromise
Attackers modified the Codecov Bash Uploader script and exfiltrated credentials from customer CI/CD environments.
Severity
Critical
Status
Ecosystem
CI/CD
Affected packages
1
Primitive
Remote Script Modification
Attack surface
CI/CD Pipeline
Trust boundary
External script -> CI/CD environment
Published
2021-04-15
Attack Path
Compromised package
→
npm install
→
Remote Script Modification
→
Install-time execution
→
Credential exposure
→
CI/CD compromise
Technical Context
The compromise affected users downloading and executing the Bash uploader from trusted sources.
Observed Behavior
Environment variables and secrets were transmitted to attacker-controlled infrastructure.
Security Implication
Cloud credentials, repository secrets and deployment tokens were exposed.
Recommended Actions
Rotate secrets, audit CI/CD environments and replace affected upload mechanisms.
| Severity | Package | Affected versions | CWE | Exploit maturity | Remediation |
|---|---|---|---|---|---|
| Critical |
Codecov Bash Uploader Credential Exfiltration Through Modified Bash Uploader |
Affected uploads between Jan 31 2021 and Apr 1 2021 | CWE-506 | Observed In The Wild | Rotate all exposed credentials and replace compromised uploader references. |