Threat Management

Codecov replaces Bash script following supply chain attack

ZDNet reports that Codecov has unveiled a new NodeJS uploader to replace the previously used Bash script uploader, which was blamed for the recent string of supply-chain attacks that began around the end of January. The NodeJS uploader, which is currently in beta, will be delivered as a static binary executable supported by Windows, macOS, Linux and Alpine Linux systems, Codecov said in a blogpost.

Threat actors were able to infiltrate Codecov's network and compromise its Bash uploader around January 31, enabling them to steal information from users' continuous integration environments, as well as "raid additional resources," according to investigators who examined the attack. Hundreds of organizations, including Mercari,, Twilio and Rapid7, were impacted by the supply-chain attack.

Codecov said that with the NodeJS uploader, which it developed for eight months, the Bash uploader will be depreciated beginning November, with support ending next February. Various security improvements were also implemented by Codecov following the attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.