Codecov Bash Uploader Compromise
Incident Report for Aptible
On April 15, reported a breach [0] of their Bash Uploader script, which Aptible previously used to measure and report test coverage in 2 of its code repos, both JavaScript frontend applications.

Later that day, we rotated all credentials that had been present in the environment configuration of the 2 repos on Travis CI, where the Bash Uploader script had been invoked. These credentials consisted of:
• a GitHub access token associated with a read-only robot user
• a robot user password for pushing Docker images to
• a robot user password for deploying apps on Aptible Deploy

We audited all access on Aptible Deploy and Quay, and confirmed the compromised robot user passwords were not used in either service. On April 22, with assistance from GitHub, we identified that the GitHub token *was* used to download several repos. We audited all credentials and confidential data contained within these repos. Importantly, no customer-owned data are stored in any of our code repos, and no customer-owned data were accessed or impacted by this incident.

At this time, the only potentially compromised data is a list of companies (not individual users) who use Aptible Deploy and/or Comply. No sensitive or regulated information had been committed to the downloaded repos at any time. We will provide updates if we discover any new information, but based on our investigation thus far, we are resolving this incident.


• Edited April 29 to clarify that no customer-owned data were impacted by this incident
Posted Apr 27, 2021 - 09:51 EDT