Rapid7 has disclosed that the attackers behind the Codecov breach had accessed some of the company's source code using a previously compromised Bash Uploader script from Codecov.
On April 15, 2021, Codecov, a provider of code coverage solutions, announced a supply chain incident in which a malicious party gained access to Codecov’s Bash Uploader script and modified it, enabling the attacker to export data stored in environment variables on Codecov customers’ continuous integration (CI) systems to an attacker-controlled server. Codecov’s disclosure with more details is available at https://about.codecov.io/security-update/.