On April 1, 2021, Codecov team was alerted to a security event involving our Bash Uploader. The threat actor specifically targeted the Codecov Bash Uploader and used it to deliver a malicious payload to all Codecov users utilizing the Bash Uploader, The Codecov GitHub Action, The Codecov CircleCI Orb, and the Codecov BitRise Step (collectively, the “Bash Uploaders”).
The team immediately worked to mitigate future impact of the incident by removing the malicious change from the Bash Uploader, and implementing controls to prevent it from being added again.
There were further impacts as the nature of the malicious code change extracted git remote origin URLs and environment variables from the environment where the maliciously altered Bash Uploader was executed. The nature of this attack and follow on impacts were detailed thoroughly in our Security Update on April 15, 2021.
Customers most likely experiencing this event were those that downloaded the Bash Uploader during the window when the threat actor had unauthorized access to the Bash Uploader and executed it.