Security

Backdoored Developer Tool That Stole Credentials Escaped Notice for 3 Months

Backdoored Developer Tool That Stole Credentials Escaped Notice for 3 Months

A publicly available software development tool contained malicious code that stole the authentication credentials that apps need to access sensitive resources. It’s the latest revelation of a supply chain attack that has the potential to backdoor the networks of countless organizations. The Codecov bash uploader contained the backdoor from late January to the beginning of April, developers of the tool said on Thursday. The backdoor caused developer computers to send secret authentication tokens and other sensitive data to a remote site controlled by the hackers. The uploader works with development platforms including Github Actions, CircleCI, and Bitrise Step, all of which support having such secret authentication tokens in the development environment.

A pile of AWS and other cloud credentials

The Codecov bash uploader performs what is known as code coverage for large-scale software development projects. It allows developers to send coverage reports that, among other things, determine how much of a codebase has been tested by internal test scripts. Some development projects integrate Codecov and similar third-party services into their platforms, where there is free access to sensitive credentials that can be used to steal or modify source code.
The code sends both the GitHub repository location and the entire process environment to the remote site, which has been redacted because Codecov says it’s part of an ongoing federal investigation. These types of environments typically store tokens, credentials, and other secrets for software in Amazon Web Services or GitHub.

Armed with these secrets, there’s no shortage of malicious things an attacker could do to development environments that relied on the tool, said HD Moore, a security expert and the CEO of network discovery platform Rumble. “It really depends on what was in the environment, but from the point that attackers had access (via the bash uploader), they might have been able to plant backdoors on the systems where it ran,” he wrote in a direct message with Ars. “For GitHub/CircleCI, this would have mostly exposed source code and credentials.”

Previous ArticleNext Article

Related Posts