Codecov has disclosed at the beginning of this month that unknown attackers changed the script they utilize to upload data on their servers. The script exploited the fact that Codecov’s tools have access to internal accounts and exported those credentials to an unauthorized server.

Codecov, which provides tools to assess how much of an application’s code is subject to unit tests, reported that a script used to upload data to its servers was modified to export credentials to a hacker’s server.

The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.


The Bash Uploaders were modified with a malicious line of code that exfiltrated environment variables and secrets collected from some customers’ CI/CD environments, to an attacker-controlled server.

Instances of Codecov Bash Uploader used in HashiCorp code


HashiCorp is a software company that provides open-source tools and commercial products that enable developers, operators, and security professionals to provision, secure, run and connect cloud-computing infrastructure.

According to HashiCorp, a Codecov customer, a private code-signing key was exposed following the recent Codecov supply-chain attack focusing on collecting developer credentials. The private key is utilized by the company to sign and check software releases, and since the attack has been rotated as a safety measure.

Jamie Finnigan, director of product security at HashiCorp declared its inquiry didn’t reveal that any of its existing releases had been modified. The company canceled the exposed key and re-signed all official downloads on HashiCorp’s website with a new key.

While the Codecov attack investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism.


As stated by HashiCorp, the security breach has only affected the company’s SHA256SUM signing mechanism.

The exposed key did not affect signing for Linux packages (Debian and RPM) available on nor Windows AuthentiCode signing or MacOS code signing.

Finnigan stated:

Terraform automatically downloads provider binaries during the terraform init operation and performs signature verification during this process.”

The company declared that their Terraform product will be patched soon in order to use the new GPG key. The patched releases of Terraform and related tools that are using the new key will be announced during automatic code verification.

In the short term, transport-level TLS protects official Terraform provider binaries downloaded during init, and manual verification of Terraform and its providers can be performed with the new key and signatures as described at


“HashiCorp has performed additional remediations related to information potentially exposed during this Codecov attack,” Finnigan said but did not give more information about what else may have been collected.

Codecov’s attack is a type of supply chain attack where threat actors target an organization’s suppliers or vendors. When the hackers attacked Codecov, they obtained all sorts of login documents, API keys, and other security details. 

In the case of HashiCorp, if the hackers had interfered with the business’s tools, that would be yet another supply chain attack because those tools are used by organizations around the world.

What Is a Supply Chain Attack?

Code Testing Company Codecov Hit with Supply-Chain Attack

Codecov Code Coverage Tool Hacked

Leave a Reply

Your email address will not be published. Required fields are marked *