Between 31 January and 1 April 2021, attackers silently modified Codecov’s popular bash uploader script, which thousands of CI/CD pipelines used to upload code coverage reports. Every CI/CD pipeline that ran the tampered script had its environment variables — including secrets, API tokens, AWS keys, and credentials — exfiltrated to an attacker-controlled server (opcode.io). Codecov discovered the compromise on 1 April 2021 after a customer noticed a SHA256 checksum mismatch, and disclosed it publicly on 15 April. The script was used in pipelines at major companies including Twilio, Atlassian, HashiCorp, Snyk, The Washington Post, Shopify, Confluent, Procore, and hundreds of others. Twilio confirmed their build environment was compromised; HashiCorp’s Mercurial mirror signing key was exposed (requiring key rotation); Atlassian confirmed credential exposure. The FBI assisted with the investigation. The attack was notable for running silently in CI pipelines for over two months — affecting both open-source and private enterprise pipelines. The attacker leveraged stolen credentials to attempt further downstream breaches. The technique — compromising a widely used CI/CD integration to harvest secrets at scale — became a template for subsequent supply chain attacks. Attribution pointed to a Russian-nexus actor with TTPs similar to APT29/Cozy Bear (SVR). The incident prompted industry-wide review of CI/CD pipeline security, bash script integrity checking, and least-privilege credential practices.