The cybersecurity firm Rapid7 says customer data and partial source code had been compromised by hackers. The breached source code was used for internal tooling.
Rapid7 has disclosed they became the next victim of the Codecov supply-chain attack on Thursday, May 13.
The cybersecurity firm said an attacker got unauthorized access to its Codecov Bash uploader script.
The cyberattack against Codecov took place on or around January 31, 2021, and was made public on April 15. The threat actor tampered with the Bash uploader script and thus compromised users’ continuous integration (CI) environments. Hundreds of clients had been potentially impacted in this supply-chain attack.
Rapid7 says their use of the Bash uploader was limited to testing and build tooling internally:
“It was set up on a single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service. We were not using Codecov on any CI server used for product code.”
That’s why the attacker didn’t access the product code, but they did access a “small subset of source code repositories” for MDR, some customers’ alert data, and internal credentials, all of which have now been changed.
The company involved cyber forensics experts. The investigation has shown no other corporate systems or production environments had been impacted.
“We have contacted the small subset of customers who may be impacted by this incident to ensure they take appropriate steps to mitigate any potential risk,“ Rapid7 said.
Codecov said it has removed the unauthorized actor from its platform. The company is implementing monitoring and auditing procedures to prevent such supply-chain attacks in the future. Codecov recommends that Bash uploader users who did not perform a checksum validation rotate their credentials as a precaution.