Criminals stole developer credentials via devtool Bash Uploader

Criminal hackers stole login credentials between January and April by accessing devtool Bash Uploader from software auditing company Codecov and modifying the code of the Bash Uploader script. An unknown number of customers have been affected as a result.

Codecov has reported a vulnerability where criminals have added a credential harvester to developer tool Bash Uploader, which allows Codecov users to send reports to the company for analysis. Criminals were able to steal login details from an as yet unknown number of Codecov’s 29,000 customers.

Codecov reports that the attacker was able to actively steal data from users for at least two and a half months after gaining access to Bash Uploader on January 31. Login data, tokens and keys were stolen. Codecov only discovered the vulnerability on April 1, after a customer noticed that something was not quite right in the tool.

Codecov’s customers also include major companies such as Atlassian, P&G, GoDaddy, the Washington Post, Tile, Dollar Shave Club, and Webflow. All customers have received an email with instructions on how to act now. The company is calling on all users to change all credentials they have used in the past two and a half months.

This isn’t just about customers using Bash Uploader. Because Bash Uploader is woven into the company’s other products, Codecov believes many of its customers have been affected by the leak. The Bash Uploader script that the hacker modified is used in the Codecov action uploader for GitHub, CircleCL Orb, and Bitrise Step, among others.

US federal investigators have launched an investigation into the incident. They are concerned about the size of the leak and compare it with, for example, the Solarwinds hack of a few months ago, especially because developers from so many large companies use Codecov’s tools.