Skip to main content

Federal investigators looking into breach at software code testing company Codecov

Federal investigators looking into breach at software code testing company Codecov


The breach happened in January but was not detected until April

Share this story

An image showing a red lock made up of code
Illustration by Alex Castro / The Verge

Federal officials are investigating a security breach at software auditing company Codecov, which apparently went undetected for months, Reuters reported. Codecov’s platform is used to test software code for vulnerabilities, and its 29,000 clients include Atlassian, Proctor & Gamble, GoDaddy, and the Washington Post.

In a statement on the company’s website, Codecov CEO Jerrod Engelberg acknowledged the breach and the federal investigation, saying someone had gained access to its Bash Uploader script and modified it without the company’s permission.

“Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments,” Engelberg wrote. “This information was then sent to a third-party server outside of Codecov’s infrastructure.”

According to Engelberg’s post, the modified version of the tool could have affected:

  • Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
  • Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
  • The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.

Although the breach occurred in January, it was not discovered until April 1st, when a customer noticed something was wrong with the tool. “Immediately upon becoming aware of the issue, Codecov secured and remediated the potentially affected script and began investigating the extent to which users may have been impacted,” Engelberg wrote.

Codecov does not know who was responsible for the hack, but has hired a third-party forensics company to help it determine how users were affected, and reported the matter to law enforcement. The company emailed affected users, who Codecov did not name, to notify them. Atlassian said in a statement to The Verge that the company was investigating the claims. “At this moment, we have not found any evidence that we have been impacted nor have identified signs of a compromise,” an Atlassian spokesperson said.

“We strongly recommend affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders,” Engelberg added.

While the breadth of the Codecov breach remains unclear, Reuters notes that it could potentially have a similar, far-reaching impact as the SolarWinds hack of late last year. In that breach, hackers associated with the Russian government compromised SolarWinds’ monitoring and management software. Some 250 entities are believed to have been affected by the SolarWinds breach including Nvidia, Cisco, and Belkin. The US Treasury, Commerce, State, Energy, and Homeland Security agencies were also affected.

Update April 19th 12:54PM ET: Added comment from Atlassian