Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year.
“A small subset of our source code repositories for internal tooling for our [Managed Detection and Response] service was accessed by an unauthorized party outside of Rapid7,” the Boston-based firm said in a disclosure. “These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers.”
On April 15, software auditing startup Codecov alerted customers that its Bash Uploader utility had been infected with a backdoor as early as January 31 by unknown parties to gain access to authentication tokens for various internal software accounts used by developers. The incident didn’t come to light until April 1.
“The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” the company noted, adding the adversary carried out “periodic, unauthorized alterations” to the code that enabled them to exfiltrate information stored in its users’ continuous integration (CI) environments to a third-party server.
Rapid7 reiterated there’s no evidence that other corporate systems or production environments were accessed, or that any malicious changes were made to those repositories. The company also added its use of the Uploader script was limited to a single CI server that was used to test and build some internal tools for its MDR service.
As part of its incident response investigation, the security firm said it notified a select number of customers who may have been impacted by the breach. With this development, Rapid7 joins the likes of HashiCorp, Confluent, and Twilio who have publicly confirmed the security event to date.
Codecov customers who have used the Bash Uploaders between January 31, 2021 and April 1, 2021 are recommended to re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes.