On April 15, 2021, the software testing company Codecov disclosed that a malicious actor had surreptitiously modified certain of its code in order to gain access to information (e.g., credentials, tokens, and keys) within the DevOps environments of Codecov’s customers. Codecov advised that the incident affected only code repositories that had used one of four Codecov uploader scripts between January 31 and April 1, 2021. Codecov provided notifications to impacted customers and publicly released indicators of compromise and remediation instructions.
Broadcom’s Infrastructure Software Group routinely evaluates the security of its software offerings, including by reviewing potential vulnerabilities in, or compromises of, third-party tools connected with our continuous integration/continuous delivery pipeline. To date, Broadcom has not been advised that any of its software was affected by the Codecov incident. Moreover, our software product teams have reviewed the information disclosed by Codecov and concluded that their environments were not exposed to the malicious scripts. Accordingly, at this time we believe the Codecov incident does not present a risk to Broadcom’s software.