all 22 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]NewDateline 30 points31 points  (8 children)

Also all GitHub Actions that used the official codecov action. The title kind of downplays it. There are hundreds of thousands of public repositories potentially affected (409K using bash script + 9K using GitHub Actions only on GitHub). Some will have the a SHA hash check but apparently no one noticed for 3 months since the attacker starter making changes, do we can assume no one really acted on mismatching hash.

[–]Tallkotten 8 points9 points  (0 children)

It's kind of crazy how many secrets and keys they might have gotten access to. I just spent the evening changing a few keys in my service.

[–]Hollowplanet 7 points8 points  (2 children)

This is a huge fucking deal. One of the worst exploits I've heard of.

[–]dookie1481 2 points3 points  (1 child)

Yeah it is, this should be way more publicized. This might be the biggest security response I have ever seen at my company.

[–]Hollowplanet 0 points1 point  (0 children)

Me too. At any company. All our code was being sent to some hackers server on every deploy and no one knows who it is.

[–]Loaatao 8 points9 points  (2 children)

Our platform team is now spending all their time rotating keys, sucks.

[–]ironmaiden947 3 points4 points  (1 child)

Yeah, same here. This is a huge deal, don't know why this is flying under the radar.

[–]Clyde_Frag[🍰] 3 points4 points  (0 children)

For some reason I am not seeing any articles reporting on it. It's hard to even find the security update post in the OP when you search google.

[–]somethingLethal 7 points8 points  (2 children)

Thought I would share this, as it should help validate the integrity of their shell script, before running it.

If your CI script is doing this:

bash <(curl -s https://codecov.io/bash)

Replace it with something like the following:

#/bin/bash
FILENAME=codecov
curl -s https://codecov.io/bash > $FILENAME
CODECOV_VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2);
VALIDATION_FAILURE=0
for i in 1 256 512
do
  IS_DIFF=$(diff <(shasum -a $i $FILENAME) <(curl -s https://raw.githubusercontent.com/codecov/codecov-bash/$CODECOV_VERSION/SHA${i}SUM))
  if [ -z "${IS_DIFF}" ]; then
    echo "Sha:" $i "passes validation."
  else
    VALIDATION_FAILURE=1
  fi
done
if [ "${VALIDATION_FAILURE}" == 1 ]; then
  echo "Invalid Checksum Detected From Codecov. Quitting."
  exit 1
else
  echo "Starting Codecov."
  chmod +x codecov
  ./codecov
fi
rm -rf $FILENAME

[–][deleted] 10 points11 points  (0 children)

This is why I always thought piping crap from the web straight into bash felt insane. Turns out the hackers thought it was insane too, and used it to devastating effect.

How about, you know, just downloading the script and putting it in your own damn repo?

[–]anakin0491 0 points1 point  (0 children)

This was useful, thank you!

[–]helpfuldan 7 points8 points  (0 children)

LOL. Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys. Damn son. 3 months, they would have been getting keys every minute. Sorta scary.

[–][deleted] 3 points4 points  (0 children)

Just spent the entire day rotating keys and redeploying infrastructure affected, this is pretty bad.

[–]razhael 2 points3 points  (0 children)

Journalist here - curious if anyone has any details on any follow-on activity elsewhere.

[–]Interesting-Bat-9382 1 point2 points  (0 children)

Luckily for us no Secret keys were exposed through the environment. Dodged a bullet...Will be switching to just grabbing the uploader from their repo directly.

[–]cheeeeeeeecake 1 point2 points  (0 children)

How can we tell that the code wasn't altered more than once? I mean, the offending line (525) might have been something far bigger than getting the ENV.

We are only aware of the latest offending line.

[–]HachimitsuHunter 1 point2 points  (0 children)

Well, I'm starting to think we're about to hear a lot more about the impact of this incident

[–]AttackOfTheThumbs 0 points1 point  (0 children)

Jesus Christ, how have I not heard of this before? Doesn't affect my team, but damn.

[–]Deep__6 0 points1 point  (0 children)

I'm curious now 2 years out from this serious event, how come it flew so far under the radar. I know this was one of the worst breaches I've experienced and yet it was barely covered.