Threat actors were able to infiltrate Codecov's network and compromise its Bash uploader around January 31, enabling them to steal information from users' continuous integration environments, as well as "raid additional resources," according to investigators who examined the attack. Hundreds of organizations, including Mercari, Monday.com, Twilio and Rapid7, were impacted by the supply-chain attack.
Codecov said that with the NodeJS uploader, which it developed for eight months, the Bash uploader will be depreciated beginning November, with support ending next February. Various security improvements were also implemented by Codecov following the attacks.