Codecov Code Coverage Tool Hacked In Supply-chain Attack

Codecov's Bash Uploader script got modified by a threat actor, according to the company's investigation, exposing sensitive information in customers' continuous integration (CI) environment. Codecov provides customers with code coverage, by telling users how much of the source code executes during testing, which helps in preventing potential bugs from appearing. Attackers changed the Bash Uploader script to deliver the details from the customers’ environment to a server outside Codecov’s infrastructure by abusing an error in the process of creating Codecov’s Docker image, which allowed extracting credentials protecting the modification of the Bash Uploader script. Read more...