The FBI has discovered the Codecov breach reported earlier this week has led to the compromise of hundreds of restricted networks belonging to the company’s clients.
Earlier, the San Francisco-based firm announced that an unscrupulous user had broken through its digital defenses and modified its Bash Uploader script. In a statement, Codecov warned that customers that had executed the booby-trapped script ran the risk of losing their credentials, tokens, or keys stored in their continuous integration (CI) environments.
It now appears it’s worst fears have come true. Investigators from the FBI’s San Francisco office told Reuters that the hackers used an automated mechanism to copy the credentials of Codecov’s customers.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Supply chain attack
While Codecov said it had taken steps to address the breach, news of the incident triggered fears of a SolarWinds-scale supply chain attack, primarily because of the length of time the tampered script remained in use and given the size of Codecov’s customer base.
An anonymous investigator told Reuters that, in typical supply chain attack fashion, the hackers put extra effort into using Codecov to infiltrate other “makers of software development programs” as well as companies that themselves provide many customers with technology services.
One of the companies the investigator highlighted was IBM. While an IBM spokeswoman told Reuters that it was investigating the incident, the software giant had “thus far found no modifications of code involving clients or IBM”. Notably, however, she did not address whether access credentials to the company’s systems had been pilfered.
Meanwhile, it isn’t clear whether the investigators, in light of the new development, will now expand their investigation beyond Codecov.