Rapid7 says hackers accessed some of its source code in Codecov supply-chain attack
Cybersecurity firm Rapid7 revealed that an unauthorized party accessed some of its source code in a security incident linked to the Codecov supply-chain attack.
Last month, Codecov disclosed a security incident involving its Bash Uploader script, a tool that provides a framework and language-agnostic method for sending coverage reports to Codecov. The company said that an unauthorized party had gained access to Bash Uploader and modified it without permission.
The compromised tool allowed the threat actors to steal sensitive information like credentials, tokens, or API keys from customers’ continuous integration (CI) environments.
In a blog post Rapid7 said that after learning of the Codecov incident it launched its own investigation that showed that an unauthorized party accessed a small portion of source code repositories for internal tooling for its MDR service that contained some internal credentials, which have all been rotated, and alert-related data for a subset of the company’s MDR customers.
“Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service. We were not using Codecov on any CI server used for product code,” the firm said.
According to Rapid7, no other corporate systems or production environments were accessed, and no unauthorized changes to these repositories were made.
The company said it notified some of its customers who may be affected by the incident.
Rapid7 is the latest addition to the list of companies impacted by the Codecov supply-chain attack, including software maker Hashicorp, cloud provider Confluent, and voice calling service Twilio.
