Case Studies: Historical Grid
Codecov Bash Uploader Breach (2021)
A Single Tampered CI Script Quietly Drains Secrets From Thousands of Build Pipelines for Two Months
In April 2021, Codecov disclosed that an attacker had used a flaw in its Docker image build to extract credentials and modify the widely used Bash Uploader script. For roughly two months, the altered script silently exfiltrated environment variables — tokens, keys, and credentials — from customers' CI/CD pipelines to an attacker-controlled server. Investigators reconstructed the intrusion via Git history of the uploader and outbound traffic analysis, and the case became the textbook example of why every secret exposed to a build runner must be treated as compromised — the exact lesson now echoing through Mini Shai-Hulud.
ASUS ShadowHammer (2019)
Stolen Code-Signing Certificates Push a Backdoored Live Update to a Million Machines — Aimed at 600
Kaspersky's Operation ShadowHammer revealed that attackers had trojanized the ASUS Live Update utility and signed it with legitimate, stolen ASUS code-signing certificates, distributing it through official channels to roughly one million users. The implant checked each host's MAC address against a hardcoded list of about 600 targets before fetching a second-stage payload. Forensic teams matched the malicious binaries by certificate serial and timestamp — a direct historical parallel to this week's Fox Tempest takedown and the enduring danger of trusted signatures.
SolarWinds Sunburst (2020)
APT29 Implants a Signed Backdoor in the Build Pipeline: 18,000 Orion Customers, Months of Undetected Beaconing
In December 2020, FireEye discovered that APT29 (Cozy Bear) had compromised SolarWinds' build server and inserted the SUNBURST backdoor into a signed Orion Platform DLL, distributed via routine update to ~18,000 customers. Forensic teams identified DGA-based C2 over avsvmcloud.com, in-memory loaders, and pre-staged TEARDROP and RAINDROP payloads. The case forced DFIR to treat code-signing certificates and CI/CD pipelines as crown-jewel assets — the threat model defining this entire week.
Kaseya VSA / REvil (2021)
Supply-Chain Ransomware Hits 1,500+ Downstream Customers in a Single Patch Push
On July 2, 2021, REvil exploited zero-day CVE-2021-30116 in Kaseya VSA's authentication and dropped an encryptor through the platform's own software-management agent, hitting 60 MSPs and an estimated 1,500+ end customers worldwide. Sophos and Mandiant reconstructed the attack chain through VSA agent procedure logs and the malicious "Kaseya VSA Agent Hot-fix" task. The FBI later recovered a universal decryptor; the case codified MSP and management-plane software as the highest-leverage supply-chain target class.
— Page 2 —