Codecov Bash Uploader Compromise: CI/CD Secrets Harvested from Thousands of Companies
Attackers modified Codecov's bash uploader script — used by thousands of companies in their CI/CD pipelines — to exfiltrate environment variables including AWS keys, API tokens, and private credentials from every organisation that ran it.
Background
Codecov is a code coverage reporting tool integrated into CI/CD pipelines. Its bash uploader script is downloaded during each build and executed in the build environment, where it has access to all environment variables — including secrets like AWS keys, API tokens, and database passwords set by the CI platform.
The Attack
Attackers gained access to Codecov's Google Cloud Storage bucket where the bash uploader script was hosted. They modified the script to add a single line that collected all environment variables and CI job metadata and sent them via HTTP to an attacker-controlled server (IP in Yangon, Myanmar). The modified script was available for download from January 31 to April 1, 2021 — 2 months. Because the script was run inside CI pipelines with access to production secrets, every organisation that ran Codecov builds during that period potentially exposed all of their CI/CD environment variables.
Response
Codecov discovered the modification on April 1, 2021, after a customer noticed a SHA checksum mismatch. Codecov immediately alerted customers and notified law enforcement. Companies including Twilio, HashiCorp, Rapid7, and hundreds of others conducted forensic investigations and rotated potentially compromised credentials.
Outcome
The scope was enormous: Codecov estimated thousands of customer organisations were affected. HashiCorp disclosed that GPG signing keys were exposed. Twilio rotated secrets. The attack demonstrated that CI/CD pipelines are critical attack surfaces — build environments have access to all production secrets.
Key Takeaways
- All downloaded scripts executed in CI pipelines must have checksum verification before execution
- CI/CD environment variables containing production secrets are extremely sensitive — store them in secrets managers with minimal scope
- Code coverage and analytics tools running inside build environments have access to all secrets — audit what you grant them
- Rotate all credentials potentially exposed in a CI pipeline breach — assume all environment variables were captured
How to Prevent This
All guidesImplement and monitor egress filtering — outbound traffic controls detect exfiltration
Most network security focuses on blocking inbound connections. Egress filtering — controlling and monitoring outbound connections — is equally important and frequently neglected. The Codecov bash uploader attack sent CI/CD secrets to an attacker-controlled server via HTTP. The CCleaner backdoor sent system data outbound via standard ports. Without egress filtering, any process on any machine can establish outbound connections to any address. Implement explicit allow-listing for outbound traffic from sensitive systems, log all egress connections, and alert on connections to newly registered domains or unexpected geographic regions.
Use short-lived credentials via OIDC for CI/CD pipelines instead of long-lived secrets
Long-lived AWS access keys, GitHub personal access tokens, and API secrets stored in CI/CD environment variables are stolen regularly. The Codecov bash uploader attack harvested environment variables from thousands of build pipelines. The GitHub/Heroku OAuth token theft gave attackers access to private repositories. OpenID Connect (OIDC) enables CI/CD systems to request short-lived, scoped credentials from AWS, GCP, and Azure for each specific pipeline run — with no static secret stored anywhere. A stolen OIDC token is valid for minutes, not months. GitHub Actions, CircleCI, and most major CI platforms support OIDC-based credential exchange.