Codecov Releases Security Update

Codecov has released a security update to address the unauthorized modification of their Bash Uploader script, which, according to the update, began January 31, 2021. The update also states that, upon discovering the compromise on April 1, 2021, Codecov immediately remediated the affected script. On April 15, 2021, Codecov notified affected customers via email and a notification banner within the application.

CISA urges affected Codecov users to immediately implement the guidance in the Recommended Actions for Affected Users and FAQ sections of the Codecov security update. CISA recommends giving special attention to Codecov’s guidance on changing (“re-rolling”) potentially affected credentials, tokens, and keys. CISA also recommends revoking and reissuing any potentially affected certificates.