Codecov customer Monday.com has disclosed a breach in the wide-scale Codecov supply-chain attack that affected multiple other companies.
Monday.com is an online workflow management platform used by prominent names like BBC Studios, Adobe, Uber, Universal, Hulu, L’Oreal, Coca-Cola, and Unilever.
As we reported last month, popular code coverage tool Codecov had been compromised by threat actors who had modified the Codecov Bash Uploader tool that allowed them to exfiltrate sensitive data from Codecov customers’ CI/CD environments, including credentials which resulted in breaches of hundreds of company networks.
Having investigated the Codecov breach, Monday.com found that unauthorized actors had gained access to a read-only copy of their source code, although there is no evidence the source code had been tampered with. And there is no indication that customers’ data had been affected by the attack.
“As of the date of this prospectus, we found no evidence of any unauthorized modifications to our source code nor any impact on our products,” says Monday.com.
However, the attackers had accessed some customer forms:
“The attacker did access a file containing a list of certain URLs pointing to publicly broadcasted customer forms and views hosted on our platform and we have contacted the relevant customers to inform them how to regenerate these URLs,” states the company.
Monday.com said that following the Codecov attacks, they removed Codecov’ from their environment and do not use the service altogether anymore.
“Upon learning of this issue, we took immediate mitigation steps, including revoking Codecov access, discontinuing our use of Codecov’s service, rotating keys for all of monday.com’s production and development environments, and retaining leading cybersecurity forensic experts to assist with our investigation,” said Monday.com’s security team in last week’s blog post.
Codecov, the Bash Uploader was used by thousands of open-source projects, that’s why the full extent of the attack is still unfolding lopng after its discovery.
This week, US cybersecurity firm Rapid7 disclosed that it became a victim of Codecov attackers. Last month, HashiCorp had announced that the same.
Cloud platform Twilio, too, had reported that Codecov attackers accessed its private repositories.
Since then the Codecov attacks have been compared to the SolarWinds supply-chain attacks, and US federal investigators have launched an investigation into the full impact of this incident.