E-commerce platform Mercari has disclosed a major data breach incident that occurred due to exposure from the Codecov supply-chain attack. Mercari is a publicly traded Japanese company and an online marketplace that has recently expanded its operations to the United States and the United Kingdom. Threat actors had modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments. The company says it had to wait on disclosing the data breach until today because its investigation activities had been ongoing.
Source: https://www.bleepingcomputer.com/news/security/e-commerce-giant-suffers-major-data-breach-in-codecov-incident/