Protect Against Russia-Ukraine Cyber Activity

Threat Brief: Codecov Bash Uploader

This post is also available in: 日本語 (Japanese)

On April 16, Codecov, an online platform and software company that provides code testing reports and statistics, disclosed that an adversary modified their Bash Uploader script. The Bash Uploader script allows its customers to send code coverage reports to the Codecov platform for analysis.

Codecov’s investigation found that beginning January 31, a threat actor made periodic, unauthorized alterations to the Bash Uploader script. The script was modified to export information out of their users’ continuous integration (CI) environments to a third-party server outside of Codecov’s infrastructure. This information could include, but is not limited to, credentials, tokens, services, datastores and application code. 

This incident is not limited to clients who only used the Bash Uploader script. This script can also be found in other tools such as:

As of the time of this writing, based on signatures and indicators that have been observed, Palo Alto Networks customers are protected across our product ecosystem, with specific protections deployed in the following products and subscriptions: 

  • Next-Generation Firewall
    • Threat Prevention: Anti-Spyware Signatures 86353 (Malicious Modified Shell Script Detection) and 86355 (Data Exfiltration Traffic Detection)
    • WildFire: WildFire blocks the malicious Bash Uploader Script 
  • Cortex XDR
    • Customers are protected via XDR analytical detection capabilities 
  • Cortex XSOAR:
    • Codecov Breach - Bash Uploader (Rapid Breach Response Pack)

Organizations using Codecov’s Bash Uploader script, or one of the other impacted tools should carefully evaluate their exposure to this threat. We recommend customers take advantage of the protections listed above and implement the remediation actions recommended by Codecov to limit their impact.