Original release date: April 30, 2021
CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021. Upon discovering the compromise on April 1, 2021, Codecov immediately remediated the affected script. On April 15, 2021, Codecov notified customers of the compromise and on April 29, 2021, Codecov released an update containing new detections—including indicators of compromise (IOCs) and a non-exhaustive data set of likely compromised environment variables—to assist organizations in determining whether they have been affected.
CISA urges all Codecov users to review the Codecov update and:
Affected users should immediately implement the guidance in the Recommended Actions for Affected Users and FAQ sections of Codecov’s update. CISA recommends giving special attention to Codecov’s guidance on changing (“re-rolling”) potentially affected credentials, tokens, and keys. CISA also recommends revoking and reissuing any potentially affected certificates.
This product is provided subject to this Notification and this Privacy & Use policy.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA released two Industrial Control Systems (ICS) advisories on October 7, 2025. These advisories provide…
CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security…
CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025. These advisories provide…
This website uses cookies.