H-ISAC TLP White Finished Intelligence Reports: Codecov Releases New Detections for Supply Chain Compromise

April 30, 2021

On April 30, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) posted an alert dubbed Codecov Releases New Detections for Supply Chain Compromise.

CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021. Upon discovering the compromise on April 1, 2021, Codecov immediately remediated the affected script. On April 15, 2021, Codecov notified customers of the compromise and on April 29, 2021, Codecov released an update containing new detections— including indicators of compromise (IOCs) and a non-exhaustive data set of likely compromised environment variables—to assist organizations in determining whether they have been affected.

Immediately upon becoming aware of the issue, Codecov secured and remediated the affected script and began investigating any potential impact on users. A third-party forensic firm has been engaged to assist in the analysis of the incident. In addition, Codecov has reported the matter to law enforcement and are fully cooperating with their investigation.

Codecov’s investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of their Bash Uploader script by a third party, which enabled them to potentially export information stored in users' continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.

The Bash Uploader is also used in several related uploaders, or “Bash Uploaders”, including Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecove Bitrise Step. Therefore, these related uploaders were also impacted by the incident.

View the entire report under Key Resources to learn more.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272

(M) +1 202 640 9159

Related Resources

The Russian Foreign Intelligence Service, known as SVR, poses a significant risk to U.S. and allied government networks.
The AHA shares with Senate and House leaders the association’s recommendations for infrastructure investments that should be included in an upcoming…
Health care is increasingly moving to a digital platform. Recent major investments in health information technology, such as electronic health records and…
Issue Landing Page
The AHA has created a panel of a limited number of highly-reputable and qualified cybersecurity service providers to support AHA member hospitals and health…
John Riggi, AHA senior advisor for cybersecurity and risk, testimony before the Senate Homeland Security and Governmental Affairs Committee on defending…
Special Bulletin
Federal agencies this morning are providing new information on an imminent ransomware threat to U.S. hospitals.