Source code and credentials belonging to cybersecurity company Rapid7 were accessed by an unauthorized third party during a supply-chain attack on Codecov.
Starting on January 31, hackers gained restricted access to hundreds of networks belonging to Codecov’s customers by tampering with one of the San Francisco–based company’s software development tools.
Codecov, whose customers include IBM and Hewlett-Packard, announced on April 15 that a malicious party had gained access to its Bash Uploader script and modified it.
“The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” stated Codecov.
On its website, Codecov said it had put together a non-exhaustive lists of environment variables that were compromised in the attack. The company advises its customers to log in to their accounts “as soon as possible to see if you are in this affected population.”
On Thursday, Rapid7 announced that it was among the customers of the stricken firm to be impacted by the attack.
“A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7,” stated the company.
“These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers.”
Rapid7 added that no other corporate systems or production environments had been accessed in the security incident, and no unauthorized changes had been made to these repositories.
Customers of Rapid7 who were in turn impacted by the attack have been notified by the company.
“Computer security companies are just regular companies. Some have better security than other companies, some not so much,” commented KnowBe4’s Roger Grimes.
“I remember the first time a company I worked for did a security review of the source code of a far larger, very popular security company that nearly the whole world used at the time. You would think that their source code would be tight, error free. Instead, it had hundreds of security vulnerabilities. Simple, easy-to-see, security vulnerabilities.”