Security response specialists are struggling to measure the result from a software supply chain settlement of Codecov Bash Uploader that went undiscovered since January and revealed sensitive secrets such as keys, tokens, and credentials from companies across the globe. The hack took place four months ago but was only found in the wild by a Codecov customer recently.
Codecov said that they recently discovered that someone had gotten unauthorized access to their Bash Uploader script and changed it without their permission. The malicious lead is said to have access due to an error in Codecov’s Docker image creation process that probably helped the hacker to pull out credentials.
To Read More: Security Week