A supply chain infection is where a hacker/cracker breaks into a vendor & places malicious code in their software utilities — that other organizations use as utilities or software packages. Just like the SolarWinds Orion infection in early 2021, CODECOV’s basher script was infected as discovered this month & this vendor is working diligently to get their customer base on a more secure footing as shared below:
Codecov takes the security of its systems and data very seriously and we have implemented numerous safeguards to protect you. On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.
CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021. Upon discovering the compromise on April 1, 2021, Codecov immediately remediated the affected script. On April 15, 2021, Codecov notified customers of the compromise and on April 29, 2021, Codecov released an update containing new detections. CISA urges all Codecov users to review the Codecov update and:
- Search for the IOCs provided.
- Log in to Codecov to see any additional information specific to their organization and repositories.
- Affected users should immediately implement the guidance in the Recommended Actions for Affected Users and FAQ sections of Codecov’s update.
- CISA recommends giving special attention to Codecov’s guidance on changing (“re-rolling”) potentially affected credentials, tokens, and keys.
- CISA also recommends revoking and reissuing any potentially affected certificates