On Apr 15, 2021 Codecov (code coverage tool) team reported Bash Uploader Security Update post where they describe their recent security breach, a yet another attack on supply chain. Since we have used this software for Hangfire in the past, and since it’s still used by one of our projects, Cronos, we began to understand what’s happened. And in short – we’ve used Codecov tool from PyPI (Python Package Index) that’s different from the Bash Uploader one and is unaffected by the recent breach, according to Codecov team.
Codecov project was used only by HangfireIO/Hangfire (removed in 2018 by this commit after migration to the new project format) and HangfireIO/Cronos repositories in the following way, where codecov
tool was installed via PIP tool from the Python Package Index gallery that’s completely different than the Bash Uploader script and uses another code base.
after_build:
- "SET PATH=C:\\Python34;C:\\Python34\\Scripts;%PATH%"
- pip install codecov
- codecov -f coverage.xml
As a part of the investigation, we’ve revoked one of our GitHub Personal Access Token that was used to automatically publish artifacts to GitHub Releases by AppVeyor and will remove this build step from our repositories entirely to avoid problems in future. The point is that this feature requires full access to the underlying repository just to publish a new ZIP file with binaries, and compromised software that’s able to access such a token (like Bash Uploader above) will be able to do a lot of bad things with affected repositories in this case.
We’ve also removed Codecov tool from our build pipeline entirely since it wasn’t working anyway, and will consider this breach if decide to add it again.