Supply chain attack in Codecov generates leaking of the source code

A supply chain attack was recently confirmed in Codecov and would have hit multiple companies. One of the organizations impacted by this incident is, which provides online workflow management solutions employed by project managers, sales teams, marketing, and other business areas.

Through the filing of U.S. Securities and Exchange Commission (SEC) Form F-1, the company confirmed and gave some details about the incident and the perceived impact: “After an initial investigation, it was confirmed that an unidentified actor accessed a read-only copy of our source code,” the report mentions, however, also notes that there is no evidence to indicate that criminals manipulated the source code or any other recourse of the affected company. also ensures that your customers’ information has not been exposed by these incidents. Before submitting the report to the SEC, the company stated that detecting the incident eliminated Codecov’s access to its environment and suspended the use of these solutions.

Unfortunately, is not the only company affected by the incident in Codecov, which would have gone unnoticed for up to two months and of which its actual scopes are unknown. U.S. cybersecurity firm Rapid7 revealed that some of its source code repositories and credentials were compromised by this incident; on the other hand, the HashiCorp firm revealed that its GPG private key was compromised by the attack.

Other affected companies include cloud services firms Twilio and Confluent, as well as the Coalition insurer. Since then, multiple Codecov customers have had to implement multiple security mechanisms to prevent threat actors from abusing existing security weaknesses.

Due to the similarities of this incident to the supply chain attack on SolarWinds, the attack on Codecov is being investigated by the Federal Bureau of Investigation (FBI). For the time being, Codecov continues to send notifications to affected customers, even revealing a list of compromise indicators for identifying potential security risks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.