search cancel

Broadcom Software Is Not Impacted by Malicious Codecov Scripts

book

Article ID: 213848

calendar_today

Updated On:

Products

Other

Issue/Introduction

On April 15, 2021, the software testing company Codecov disclosed that a malicious actor had surreptitiously modified certain of its code in order to gain access to information (e.g., credentials, tokens, and keys) within the DevOps environments of Codecov’s customers. Codecov advised that the incident affected only code repositories that had used one of four Codecov uploader scripts between January 31 and April 1, 2021. Codecov provided notifications to impacted customers and publicly released indicators of compromise and remediation instructions.

Resolution

Broadcom’s Infrastructure Software Group routinely evaluates the security of its software offerings, including by reviewing potential vulnerabilities in, or compromises of, third-party tools connected with our continuous integration/continuous delivery pipeline. To date, Broadcom has not been advised that any of its software was affected by the Codecov incident. Moreover, our software product teams have reviewed the information disclosed by Codecov and concluded that their environments were not exposed to the malicious scripts. Accordingly, at this time we believe the Codecov incident does not present a risk to Broadcom’s software.