Codecov: Codecov bash-uploader supply-chain compromise exfiltrates customer secrets
A threat actor exploited an error in Codecov's Docker image creation process to obtain credentials, then modified the Bash Uploader script to exfiltrate environment variables (including secrets) from customer CI environments.
1 of the 4 practices that failed in this incident is part of the Sentinel-10 — the engineering protocols Concordance flags as most degraded under AI-accelerated development.
This incident pre-dates today's AI-velocity surge. The thesis is that the same practices that failed here will fail faster under AI velocity if not actively governed. Read the Velocity Governance thesis →
Impact
Affected ~29,000 enterprise customers including HashiCorp, Atlassian, Twilio, Rapid7. Triggered industry-wide review of CI/CD secret handling.
Root cause (from published RCA)
A flaw in Codecov's Docker image creation process allowed a malicious actor to extract credentials needed to modify the Bash Uploader script. The modified script remained in production for over 2 months before detection. The script was downloaded directly via curl by customer CI pipelines, which executed it with access to environment variables containing credentials.
Concordance protocols that map to this root cause
Click any protocol to see every other indexed incident where it failed.
Primary sources
Related incidents
Other incidents that failed at least one of the same protocols.