Codecov npm module prior to 3.6.2 allows remote malicious users to execute arbitrary commands via the "gcov-args" argument.
codecov nodejs uploader