Skip to main content

Codecov Breach - Bash Uploader

This Playbook is part of the Rapid Breach Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook includes the following tasks:

  • Search for the Security Notice email sent from Codecov.
  • Collect indicators to be used in your threat hunting process.
  • Query network logs to detect related activity.
  • Search for the use of Codecov bash uploader in GitHub repositories
  • Query Panorama to search for logs with related anti-spyware signatures
    - Data Exfiltration Traffic Detection
    - Malicious Modified Shell Script Detection
    Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information: Codecov Security Notice


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Splunk Indicator Hunting
  • Panorama search thread-ids in threat logs
  • QRadar Indicator Hunting V2
  • Palo Alto Networks - Hunting And Threat Detection


This playbook does not use any integrations.


This playbook does not use any scripts.


  • extractIndicators
  • GitHub-search-code
  • ews-search-mailbox

Playbook Inputs#

NameDescriptionDefault ValueRequired
KnownRelatedIOCsKnown related IOCs to the Codecov Bash Uploader breach to hunt.
CustomIOCsAdd your own custom Codecov Bash Uploader breach IOCs to hunt.Optional
EWSSearchQueryThe EWS query to find the Codecov security notice AND Subject:Bash Uploader Security Notice AND Received:three monthsOptional
EWSSearchQuery_LimitThe limit of results to return from the search50Optional
Github_Code_Search_queryGithub query to search for Codecov bash uploader use.
InternalRangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: ",," (without quotes).lists.PrivateIPsOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Codecov Breach - Bash Uploader