Rapid7 source code, alert data accessed in Codecov supply chain attack

The breached source code subset was used for internal tooling.
Written by Charlie Osborne, Contributing Writer

Rapid7 has disclosed the compromise of customer data and partial source code due to the Codecov supply chain attack. 

On Thursday, the cybersecurity firm said it was one of the victims of the incident, in which an attacker obtained access to the Codecov Bash uploader script. 

The cyberattack against Codecov took place on or around January 31, 2021, and was made public on April 15. The organization, which provides code coverage and testing tools, said that a threat actor tampered with the Bash uploader script, thereby compromising the Codecov-actions uploader for GitHub, Codecov CircleCl Orb, and the Codecov Bitrise Step. 

This enabled attackers to export data contained in user continuous integration (CI) environments. 

Hundreds of clients were potentially impacted, and now, Rapid7 has confirmed that the company was one of them. 

Rapid7 says the Bash uploader was used in a limited fashion as it was only set up on a single CI server used to test and build tooling internally for the Managed Detection and Response (MDR) service. 

As such, the attacker was kept away from product code, but they were able to access a "small subset of source code repositories" for MDR, internal credentials -- all of which have now been rotated -- and alert-related data for some MDR customers. 

Rapid7 has reached out to customers impacted by the data breach. 

The company pulled in cyberforensics assistance and following an investigation, has concluded that no other corporate systems or production environments were compromised. 

Codecov has since removed the unauthorized actor from its systems and is setting up monitoring and auditing tools to try and prevent another supply chain attack from occurring in the future.

Impacted customers were notified via email addresses on record and through the Codecov app. Codecov recommends that users of the Bash uploaders between January 31, 2021, and April 1, 2021, who did not perform a checksum validation should re-roll their credentials out of caution. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards