Breachwire.riscent

Breach report

Codecov Bash Uploader: a modified build tool that quietly stole CI secrets

Web Application BreachesHigh (CI secret exposure)2021-04
The bottom lineAttackers extracted a cloud credential from a Codecov Docker image and used it to alter the widely used Bash Uploader script so that it exfiltrated environment variables and secrets from customers' CI pipelines.
Category
Web Application Breaches
Type
Named breach · Build-tool compromise
Date
2021-04
Severity
High (CI secret exposure)
OWASP
Web A08 Software/Data Integrity Failures
CWE / CVE
CWE-494

What happened

In April 2021, code-coverage vendor Codecov disclosed that its popular Bash Uploader script had been tampered with. A customer noticed on April 1, 2021 that the SHA256 hash reported on GitHub did not match the script they had downloaded, and reported it. Investigation showed that an attacker had modified the uploader so that, when it ran inside a customer's continuous-integration environment, it quietly collected sensitive data and sent it to a server the attacker controlled.

Because the Bash Uploader ran inside the CI pipelines of a large customer base, the compromise put credentials and secrets from many organizations at risk — a classic downstream supply-chain exposure through a trusted build tool.

Root cause

The failure was a software-integrity failure (CWE-494, download of code without an integrity check). The attacker "extracted an HMAC key for a Google Cloud Storage service account from an intermediate layer" in Codecov's public self-hosted Docker image, then used that stolen credential to modify the Bash Uploader as it was served to end users. The altered script "extracted git remote origin URLs and environment variables from the environment where the maliciously altered Bash Uploader was executed" — exposing whatever secrets those CI environments held. The root enabler was a credential baked into a shipped image; the delivered script was then trusted and run without verification.

How it would have been caught

Verifying the uploader's integrity before execution — the exact hash mismatch the customer spotted — catches the tampering immediately. Scanning container images for embedded secrets would have flagged the exposed HMAC key before it could be stolen. A reproduction runs the modified uploader in a sandbox seeded with a canary environment variable and confirms the canary is sent to an external host.

How to prevent it

  • Never bake credentials into container image layers; use runtime secret injection and scan images for embedded secrets.
  • Verify a signature or pinned hash of any script before piping it into a shell; do not run curl | bash blindly.
  • Scope CI secrets to least privilege and rotate them regularly so exposure is contained.
  • Alert on unexpected outbound connections from build steps.

The Breachwire test (red → green)

Run the tampered uploader in a sandbox holding a canary secret and confirm the canary is exfiltrated to an external host — the RED control. Enforce hash/signature verification before execution and remove the embedded image credential, rerun, and confirm the canary is never sent off-box, while legitimate coverage uploads still complete.