The attackers were able to modify the upload script and gained access to do this because to a mistake in its creation of a Docker image.
Codecov said in a statement issued on 15 April that it became aware of the incident on 1 April, but there had been unauthorised entry to its systems from 31 January onwards. Reuters claimed the attackers had gained access to other companies using Codecov's product.
Aside from Bashuploader, it also applies to Codecov-actions, Codecov CircleCl Orb, and Codecov Bitrise Step.— Kevin Beaumont (@GossiTheDog) April 16, 2021
Good luck to network defenders hunting, as they've withheld IoCs citing a law enforcement investigation (that's not a good reason for something like this).
Codecov has about 19,000 customers, among them Hewlett Packard Enterprise, IBM, Procter & Gamble, GoDaddy, The Washington Post, and Atlassian Corporation.
He said the bash uploader was also used in the Codecov-actions uploader for GitHub, the Codecov CircleCl Orb, and the Codecov Bitrise Step. The related uploaders were also affected.
It's not - @Codecov should share this one.— Kevin Beaumont (@GossiTheDog) April 16, 2021
"The altered version of the bash uploader script could potentially affect:
"Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
"Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
This is what terrifies me about the ease of which cloud providers can tie into each via public API, with a (usually) static token (big ugly password) as the only means of authentication. Especially in multi-tenancy dominate markets (MSP, dev/devops, etc.).— gravyface (@faceofgravy) April 16, 2021
"The git remote information (URL of the origin repository) of repositories using the bash uploaders to upload coverage to Codecov in CI," Engelberg said.
He said that companies which were hosting their own Codecov on-premises were unlikely to have been affected. But those who were fetching the bash uploader from Codecov's servers were likely to have been affected.
Update: An Atlassian spokesmen said: "We are aware of the claims and we are investigating them. At this moment, we have not found any evidence that we have been impacted nor have we identified signs of a compromise."