Back to articles

Tag archive

#supplychainsecurity

T
Jul 3, 2026

The Codecov bash uploader is five years old, and the class of attack still lives in your pipeline

A retrospective on the January 2021 Codecov breach revisits how a single tampered line in the uploader turned tens of thousands of downstream CI environments into a secret exfiltration channel. The mechanism has not aged; the countermeasures are boring, and most pipelines still have not shipped them.

Jul 3, 20263 min read0 reactions0 comments