Rapid7 has Disclosed that Some Code Repositories were Accessed in Codecov Supply-Chain Attack

Cybersecurity vendor Rapid7 disclosed it was among the victims of the Codecov software supply chain attack and warned that data for a subset of its customers were accessed in the breach.

Codecov Supply-Chain Attack

On April 15, 2021, the software company Codecov, a provider of code coverage solutions, announced a supply chain incident in which a malicious party gained access to Codecov’s Bash Uploader script and modified it, enabling the attacker to export data stored in environment variables on Codecov customers’ continuous integration (CI) systems to an attacker-controlled server.

The malicious code would allow the attacker to intercept uploads and scan and collect any sensitive information, including credentials, tokens, or keys. Hundreds of clients were potentially impacted, and now, Rapid7 has confirmed that the company was one of them.

Rapid7 says, “Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service. We were not using Codecov on any CI server used for product code.” 

After the disclosure of the Codecov supply chain attack, the company launched an internal investigation to determine the potential impact on its infrastructure.

The experts discovered that:

• A small subset of source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7
• These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers
• No other corporate systems or production environments were accessed, and no unauthorized changes to these repositories were made

The repositories accessed by third-party contained internal credentials and alert-related data for a subset of its MDR (Managed Detection and Response) customers. In response to the breach, the company reset the impacted credentials.

Codecov has removed the unauthorized actor from its systems and is setting up monitoring and auditing tools to attempt and prevent another supply chain attack from occurring in the future.

Rapid7 have contacted the small subset of customers who may be impacted by this incident to ensure they take appropriate steps to mitigate any potential risk.

 “We will update this notice if we learn new information that changes the scope of the impact described here. If you are a customer and have any questions or need further information, please contact your Account Team or email codecov-inquiries@rapid7.com”, concludes Rapid7.