Security & supply chainThe Codecov bash uploader is five years old, and the class of attack still lives in your pipeline
A retrospective on the January 2021 Codecov breach revisits how a single tampered line in the uploader turned tens of thousands of downstream CI environments into a secret exfiltration channel. The mechanism has not aged; the countermeasures are boring, and most pipelines still have not shipped them.