Can you please tell users which repositories were affected? This situation is ridiculous for users with dozens repositories, using various CIs and various code coverage providers. A lot of checking, cleaning, rotating. The way you disclosed the issue is not helpful.
How would they do that? The bash script is a static file on a public host. Users can simply download it, without Codecov knowing about the repos it's being used in.
Never automatically download any remote code without at least checking the checksum.
The e-mail they sent includes "Unfortunately, we can confirm that you were impacted by this security event." which means that they know. I guess there is an API endpoint that is specific to Bash Uploader and they use that + dates of API requests to figure out who was impacted. This must also contain the repository info (and they just confirmed that they can figure this out).
That may be wrong. I use the ruby gem and the email says that would not be affected but at the same time the email says I was affected. I'm re-rolling to be sure, but it would help not having conflicting information in the same email.