A publicly available software development tool contained malicious code that stole the authentication credentials that apps need to access sensitive resources. It's the latest revelation of a supply chain attack that has the potential to backdoor the networks of countless organizations. The Codecov bash uploader contained the backdoor from late January to the beginning of April, developers of the
![Backdoored developer tool that stole credentials escaped notice for 3 months](https://cdn-ak-scissors.b.st-hatena.com/image/square/62f915bd5371bc7b56959af8e8d3ea1c1b657ca7/height=288;version=1;width=512/https%3A%2F%2Fcdn.arstechnica.net%2Fwp-content%2Fuploads%2F2021%2F04%2Fsoftware-development-760x380.jpeg)