The FBI has discovered the Codecov breach (opens in new tab) reported earlier this week has led to the compromise of hundreds of restricted networks belonging to the company’s clients.
Earlier, the San Francisco-based firm announced that an unscrupulous user had broken through its digital defenses (opens in new tab) and modified its Bash Uploader script. In a statement, Codecov warned that customers that had executed the booby-trapped script ran the risk of losing their credentials, tokens, or keys stored in their continuous integration (CI) environments.
It now appears it’s worst fears have come true. Investigators from the FBI's San Francisco office told Reuters that the hackers used an automated mechanism to copy the credentials of Codecov’s customers.
- Protect your devices with these best antivirus (opens in new tab) software
- We’ve also rounded up the best ransomware protection tools (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
Supply chain attack
While Codecov said it had taken steps to address the breach, news of the incident triggered fears of a SolarWinds-scale supply chain attack, primarily because of the length of time the tampered script remained in use and given the size of Codecov’s customer base.
An anonymous investigator told Reuters that, in typical supply chain attack fashion, the hackers put extra effort into using Codecov to infiltrate other “makers of software development programs” as well as companies that themselves provide many customers with technology services.
One of the companies the investigator highlighted was IBM. While an IBM spokeswoman told Reuters that it was investigating the incident, the software giant had “thus far found no modifications of code involving clients or IBM". Notably, however, she did not address whether access credentials to the company's systems had been pilfered.
Meanwhile, it isn’t clear whether the investigators, in light of the new development, will now expand their investigation beyond Codecov.
- These are some of the best endpoint protection software (opens in new tab) offerings around
Via Reuters (opens in new tab)