Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Twilio Discloses Impact From Codecov Supply-chain Attack

Twilio Discloses Impact From Codecov Supply-chain Attack

Cloud communications company Twilio has now disclosed that it was impacted by the recent Codecov supply-chain attack in a small capacity.

As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months.

During this two-month period, threat actors had modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments.

Using the credentials harvested from the tampered Bash Uploader, Codecov attackers reportedly breached hundreds of customer networks.

Twilio: small number of customer email addresses exposed

Today, cloud communications and VoIP platform Twilio has announced that it was impacted by the Codecov supply-chain attack.

Shortly after Codecov had disclosed the security incident concerning its Bash Uploader last month, Twilio was notified that they were impacted too.

As seen by BleepingComputer, multiple Twilio projects use the Codecov Bash Uploader that had earlier been modified:

Codecov Bash Uploader in use by multiple Twilio projects
Source: BleepingComputer

Also Read: What You Should Know About The Data Protection Obligation Singapore

But Twilio states, the illicitly altered Bash Uploader component was being actively used in a small number of Twilio’s projects and CI pipelines, and did not concern critical systems.

“These projects and CI pipelines are not in the critical path to providing updates or functionality to our communication APIs,” explained Twilio in a statement released today.

“Our subsequent investigation into the impact of this event found that a small number of email addresses had likely been exfiltrated by an unknown attacker as a result of this exposure.”

“We have notified those impacted individuals privately and have remediated the additional potential exposure by thoroughly reviewing and rotating any potentially exposed credentials,” continues the statement.

Email addresses found in GitHub repository

On April 22nd, GitHub had also notified Twilio after detecting suspicious activity related to Codecov exposure, and that specifically a Twilio user token had been exposed.

“ had identified a set of GitHub repositories that had been cloned by the attacker in the time before we were notified by Codecov.”

“Our investigation turned from identifying secrets to identifying the content of the repositories that were cloned,” says Twilio.

It was then in one such GitHub repository that Twilio’s security team found “a small number of email addresses belonging to Twilio customers,” although the company has not disclosed what exactly this “small number” is.

Twilio states that at this time there is no indication or evidence of any other customer data having been exposed, or that Twilio’s repositories were altered by the attackers in any manner.

As a part of its investigation activities, the company has additionally conducted an automated search for finding any exposed secrets and manually analyzed the findings.

Further, the company has rotated all secrets that could have been possibly exposed in the repositories, as a result of the Codecov supply-chain attack.

Twilio has also taken steps to detect such incidents in the future, such as scanning GitHub pull requests in real-time to spot any exposed secrets and common insecure coding practices.

Twilio not the only company to be impacted

Twilio is not the first or the only company to be impacted by the Codecov supply-chain attack.

Last month, as reported by BleepingComputer, HashiCorp had disclosed that their GPG private key had been exposed in the attack.

This key had been used for signing and verifying software releases, and therefore had to be rotated.

Since then, several other Codecov clients have had to rotate their credentials. Whether or not they have been impacted, and in what capacity, remains a mystery.

Prior to the breach having been spotted by Codecov, the Bash Uploader was in use by thousands of open-source projects:

Thousands of repositories using Codecov Bash Uploader

Similarly, BleepingComputer also came across a discussion among Mozilla Firefox community members who acknowledged rotating secrets following the Codecov attack.

Mozilla responded to us with:

“In response to Codecov’s breach which was announced on April 15, 2021, Mozilla’s security team coordinated the rotation of credentials and tokens pursuant to the guidance of Codecov.”

“No evidence of compromise was detected, and we don’t expect any impacts to Mozilla’s products or services,” a spokesperson for Mozilla told BleepingComputer.

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

Last week, Codecov began sending additional notifications to the impacted customers and disclosed a thorough list of Indicators of Compromise (IOCs), i.e. attacker IP addresses associated with this supply-chain attack.

Codecov users should scan their CI/CD environments and networks for any signs of compromise, and as a safeguard, rotate any and all secrets that may have been exposed.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us