Breach report
Codecov Bash Uploader: a modified build tool that quietly stole CI secrets
What happened
In April 2021, code-coverage vendor Codecov disclosed that its popular Bash Uploader script had been tampered with. A customer noticed on April 1, 2021 that the SHA256 hash reported on GitHub did not match the script they had downloaded, and reported it. Investigation showed that an attacker had modified the uploader so that, when it ran inside a customer's continuous-integration environment, it quietly collected sensitive data and sent it to a server the attacker controlled.
Because the Bash Uploader ran inside the CI pipelines of a large customer base, the compromise put credentials and secrets from many organizations at risk — a classic downstream supply-chain exposure through a trusted build tool.
Root cause
The failure was a software-integrity failure (CWE-494, download of code without an integrity check). The attacker "extracted an HMAC key for a Google Cloud Storage service account from an intermediate layer" in Codecov's public self-hosted Docker image, then used that stolen credential to modify the Bash Uploader as it was served to end users. The altered script "extracted git remote origin URLs and environment variables from the environment where the maliciously altered Bash Uploader was executed" — exposing whatever secrets those CI environments held. The root enabler was a credential baked into a shipped image; the delivered script was then trusted and run without verification.
How it would have been caught
Verifying the uploader's integrity before execution — the exact hash mismatch the customer spotted — catches the tampering immediately. Scanning container images for embedded secrets would have flagged the exposed HMAC key before it could be stolen. A reproduction runs the modified uploader in a sandbox seeded with a canary environment variable and confirms the canary is sent to an external host.
How to prevent it
- Never bake credentials into container image layers; use runtime secret injection and scan images for embedded secrets.
- Verify a signature or pinned hash of any script before piping it into a shell; do not run
curl | bashblindly. - Scope CI secrets to least privilege and rotate them regularly so exposure is contained.
- Alert on unexpected outbound connections from build steps.
The Breachwire test (red → green)
Run the tampered uploader in a sandbox holding a canary secret and confirm the canary is exfiltrated to an external host — the RED control. Enforce hash/signature verification before execution and remove the embedded image credential, rerun, and confirm the canary is never sent off-box, while legitimate coverage uploads still complete.