Security firm Rapid7 says Codecov hackers accessed some of its source code
Catalin Cimpanu May 13, 2021

Security firm Rapid7 says Codecov hackers accessed some of its source code

Security firm Rapid7 says Codecov hackers accessed some of its source code

Boston-based security firm Rapid7 disclosed today that a threat actor accessed some of its source code after a hack at software supplier Codecov earlier this year.

Through today’s announcement, Rapid7 becomes the fourth company to admit to a second-hand breach because of the Codecov incident, where hackers accessed the company’s internal network and hid a credentials-harvesting module inside its Bash Uploader tool.

Two days shy of a month after Codecov disclosed its breach, Rapid7 now joins software maker Hashicorp, cloud provider Confluent, and voice calling service Twilio as the only companies to publicly admit to having been impacted.

Hackers accessed MDR source code

In a blog post today, the security firm said that while it only used one instance of the Codecov Bash Uploader script on a “single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service,” the single server was enough for the attackers.

“A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7,” a spokesperson said today.

“These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers,” it added.

Rapid7 said that while attackers accessed its source code, they didn’t modify any code, nor did they pivot to other “corporate systems or production environments.”

The security firm said that as part of its incident response procedures, it also notified a small number of customers who may have been impacted by its breach.

More second-hand breaches expected to be disclosed

One month after the Codecov breach, the number of companies to publicly admit to having been impacted remains low.

While Hashicorp had to rotate a GPG private key, hackers accessed a read-only GitHub account at Confluent, and Twilio said that no sensitive data was accessed, Rapid7 appears to be the company that had the broadest intrusion of the four.

But the low number of victims is not a surprise. Security experts argued last month that the Codecov incident may impact hundreds or thousands of companies and that investigations into these second-hand breaches will take weeks and months to complete, so we are yet to see the full aftermath of this breach and that more companies will come forward throughout the rest of the year.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.