Federal officials are investigating a security breach at software audit firm Codecov, which has apparently gone unnoticed for months. Reuters report. Codecov’s platform is used to test software code for vulnerabilities, and its 29,000 customers include Atlassian, Proctor & Gamble, GoDaddy and the Washington Post.
In a statement on the company’s website, Codecov CEO Jerrod Engelberg acknowledged the infringement and the federal investigation and said someone had accessed his Bash Uploader script and modified it without the company’s permission.
“Our investigation found that from January 31, 2021, there were periodic, unauthorized changes to our Bash Uploader script by a third party, which enabled them to store information stored in our users’ continuous integration (CI) environments is possible to carry out, “Engelberg wrote. . “This information was then sent to a third-party server outside the Codecov infrastructure.”
According to Engelberg’s message, the modified version of the instrument could affect the following:
- Any references, tokens or keys passed on to our customers by their CI runner would be accessible once the Bash Uploader script has been executed.
- Any services, data stores and application code that can be accessed with these credentials, tokens or keys.
- The git remote information (URL of the original repository) of repositories that the Bash Uploaders use to upload coverage to Codecov in CI.
Although the violation occurred in January, it was only discovered on April 1 when a customer noticed that something was wrong with the instrument. “Immediately after becoming aware of the matter, Codecov secured and restored the text that could be affected, and began investigating the extent to which users could be affected,” Engelberg wrote.
Codecov does not know who was responsible for the hijacking, but hired a third-party forensic company to help determine how users are affected, and reported the matter to law enforcement. The company emailed users who did not name Codecov to notify them.
“We strongly recommend that affected users immediately re-roll all their credentials, tokens or keys in the environmental variables in their CI processes used by one of Codecov’s Bash Uploaders,” Engelberg added.
Although the breadth of the Codecov violation remains unclear, Reuters note that it could potentially have a similar, far-reaching impact as the SolarWinds cap late last year. In that offense, hackers affiliated with the Russian government compromised SolarWinds’ monitoring and management software. It is believed that about 250 entities were affected by the infringement of SolarWinds, including Nvidia, Cisco and Belkin. The U.S. Treasury, Commerce, Government, Energy and Homeland Security agencies were also affected.