Codecov bash uploader breach remediation

Codecov breach

codecov.io is a CI service that we use for tracking code coverage of our test suite. It was recently disclosed that there was breach of codecov.io “bash uploader” and three of our repositories were affected. The attacker modified the “bash uploader” script to capture all environment variables and exfiltrated them to a third-party server. Because this job is run on against CI jobs on our default branch this means any secrets that we had exposed to CI via encrypted envs should be considered compromised.

TLDR

The day this was made public (2020-04-15) I did an audit of the repos hosted under the Matplotlib org on github, we did have exposure however all of the affected secrets have been remediated.

details

I have redacted the identities of who’s credentials were compromised out of an abundance of caution. If you have a reason you think you need to know this information email me and we will discuss it.

Exposure

We had 5 repositories with exposure to this breach :

explicit use of bash script

  • cycler: .travis.yml
  • matplotlib: azure-pipelines.yml
  • matplotlib: .travis.yml (older versions)

github workflow exposure

  • mpl-probscale: .github/workflows/check-test-coverage.yml
  • matplotlib: .github/workflows/tests.yml

Additionally we installed the codecov python packaing on circle, but
do not use it (at one point we had the goal of running building the examples under coverage and add that to our overall coverage).

Remediation

cycler

There is no remediation needed as we did not have any secrets available to travis.

mpl-probscale

There was a maintainers pypi username and password as repo secrets. The maintainer was contacted and their password changed.

matplotlib

GH actions

There was a SSH key in the repo secrets which was a deploy key used to push commits to macPython/matplotlib-wheels on tag. This key was removed on both sides and the matplotlib-wheels repo was archived and we have moved the wheel building machinery to GH actions. The workflow that used this secret was remvoed and the secret was not replaced.

travis

Before we fully moved to GH action we had 3 secrets encoded for travis. One secret was a GH token and two secrets were related to AWS. The owners of these credentials have been contacted, all have been revoked, and it was confirmed that there was no unexpected activity.

Azure

We did not expose any secrets to Azure so no action was needed.

CircleCI

Although we did not run the affected code on CircleCI, we do have the private side of a deploy key on circle to allow us to push the dev-docs back to matplotlib/devdocs for the default branch. Out of an abundance of caution this key was replaced.

2 Likes