Codecov Bash Uploader: Anatomy of a 70-Day Silent Supply-Chain Breach

Threat Intelligence

The Codecov bash uploader sat compromised for over two months before anyone noticed. A look at how a Docker image flaw became a downstream secret-harvesting operation, and what CI/CD teams should rewire after it.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 1, 2024 · 8 min read

Codecov is one of those tools nobody talks about until it is the reason an incident response retainer gets activated. The bash uploader sits at the end of CI pipelines, slurps coverage reports, and ships them off. In April 2021 the company disclosed that the uploader had been modified to ship something else as well: every environment variable on the runner that touched it.

Timeline

1. January 31, 2021: attacker modifies the Codecov-uploader bash script in production. The change adds a single curl call that POSTs the runner's environment to an attacker-controlled host.
2. January through March 2021: the tampered script ships to every customer that pulls the uploader fresh. Estimated reach is roughly 29,000 customers, and each CI job hands over its secrets on execution.
3. April 1, 2021: a customer notices a checksum mismatch between the script served by Codecov and the version pinned in their internal mirror. They open a support ticket.
4. April 15, 2021: Codecov publishes the security advisory. The blast radius is now the problem: every secret exposed to a Codecov-running CI job in those 70 days must be considered compromised.
5. May 2021: downstream notifications begin. Twilio, HashiCorp, Rapid7, and Monday.com confirm secondary impact tied to the same uploader.

Root cause

The initial access vector was a misconfigured Docker image creation step at Codecov that leaked a credential. With that credential the attacker reached the production bucket hosting the uploader and modified it directly. There was no signing on the script, no checksum prominently advertised at fetch time, and the standard install pattern was a curl-pipe-bash one-liner that nobody verified.

When the install command is curl bash, the supply chain ends wherever the attacker reached first.

Attacker actions

The implanted line was small and quiet. It collected the entirety of the environment variable space, base64-encoded it, and exfiltrated to an external IP. On a typical GitHub Actions or Jenkins runner, that environment includes cloud keys, registry tokens, signing keys for releases, and any secret a maintainer added to the CI store. The attacker then used those credentials to clone private repositories and, in several confirmed cases, pivoted into customer cloud accounts.

Detection signals

• Outbound CI traffic to non-Codecov hosts during coverage upload steps. Most teams had no egress baseline for CI runners.
• Checksum drift on the uploader script. The customer who reported it caught it because their pipeline pinned an expected SHA.
• Anomalous API usage on cloud accounts using keys that should only ever appear inside CI: short-lived spikes from new geographies, often via Tor exit nodes.
• Unexpected git clone activity from service accounts against private repositories outside their usual scope.

Lessons

• Pin every third-party CI dependency by hash, not by version tag. Tag mutability is the bug.
• Scope CI secrets so each job sees only what it needs. Coverage reporting does not need the production deploy key.
• Egress allowlist CI runners. The exfil path was a single curl to an unfamiliar IP. That should have been a denied connection, not a 200 OK.
• Practice mass rotation. The customers who responded fastest had pre-built rotation scripts for every secret class.

Codecov is a finished investigation, but the model it exposed is not. Every quarter a similar story lands with a different vendor logo. The teams that absorb it best assume the next bash uploader is already in their pipeline and design accordingly.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.