Codecov dev tool hit in another supply chain hack

There’s another supply chain hack on the block.

Starting in January, attackers began altering Codecov’s Bash Uploader script and accessing Codecov customers’ information, the firm announced Thursday.

Codecov, a platform that provides customers with reviews of code, found out about the unauthorized access and meddling on April 1. Bash Uploader is a tool that customers use to share code reports with Codecov.

The incident could impact Codecov customers’ credentials, tokens or keys passed through users’ continuous integration environments, as well as any services or datastores that could be accessed with those credentials or keys, the firm said in a blog.

The incident may also have impacted the Codecov-actions uploader for Github, the Codecov CircleCl Orb and the Codecov Bitrise Step, the firm warned.

Codecov customers include Atlassian, Mozilla, Sweetgreen, Tile and The Washington Post, according to Codecov’s website. Codecov has 29,000 customers in all, Codecov said.

Codecov is just the latest company to be impacted by a supply chain attack — a hack in which attackers target a company’s suppliers or vendors. Russian government hackers working for Russia’s Foreign Intelligence Service (SVR) hacked federal contractor SolarWinds last year as part of a sweeping espionage operation that hit federal agencies and major tech companies, according to the U.S. government. The Accellion supply chain hack also has claimed high-profile victims.

The attackers going after Codecov, whom the firm did not identify, were able to target the Bash Uploader due to an error in Codecov’s Docker image creation process, Codecov said. The issue allowed the attackers to steal the credential that allowed them to update the Bash Uploader script.

Jerrod Engelberg, Codecov’s CEO, said in a blog the firm has been in touch with law enforcement and said it has begun working with a third party to investigate the issue.