Security firm Rapid7 says Codecov hackers accessed some of its source code

Boston-based security firm Rapid7 disclosed today that a threat actor accessed some of its source code after a hack at software supplier Codecov earlier this year.

Through today’s announcement, Rapid7 becomes the fourth company to admit to a second-hand breach because of the Codecov incident, where hackers accessed the company’s internal network and hid a credentials-harvesting module inside its Bash Uploader tool.

Two days shy of a month after Codecov disclosed its breach, Rapid7 now joins software maker Hashicorp, cloud provider Confluent, and voice calling service Twilio as the only companies to publicly admit to having been impacted.

Hackers accessed MDR source code

In a blog post today, the security firm said that while it only used one instance of the Codecov Bash Uploader script on a “single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service,” the single server was enough for the attackers.

“A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7,” a spokesperson said today.

“These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers,” it added.

Rapid7 said that while attackers accessed its source code, they didn’t modify any code, nor did they pivot to other “corporate systems or production environments.”

The security firm said that as part of its incident response procedures, it also notified a small number of customers who may have been impacted by its breach.

More second-hand breaches expected to be disclosed

One month after the Codecov breach, the number of companies to publicly admit to having been impacted remains low.

While Hashicorp had to rotate a GPG private key, hackers accessed a read-only GitHub account at Confluent, and Twilio said that no sensitive data was accessed, Rapid7 appears to be the company that had the broadest intrusion of the four.

But the low number of victims is not a surprise. Security experts argued last month that the Codecov incident may impact hundreds or thousands of companies and that investigations into these second-hand breaches will take weeks and months to complete, so we are yet to see the full aftermath of this breach and that more companies will come forward throughout the rest of the year.

Catalin Cimpanu

Catalin Cimpanu is a former cybersecurity reporter for Record Future News. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Ransomware attack on Indianapolis Housing Agency leaks sensitive info on 200,000 residents

The Indianapolis Housing Agency is notifying more than 200,000 people that their information, including Social…

9 hours ago

New York’s Andrew Garbarino takes helm of House’s cybersecurity subcommittee

New York Republican Andrew Garbarino has been chosen as the new chairman of the House's…

11 hours ago

TSA issues security directive to airports, carriers after ‘no-fly’ list leak

The Transportation Security Administration has issued a security directive to all U.S. airports and air…

13 hours ago

Russian foreign ministry claims to be the target of ‘coordinated’ cyber aggression

Russia’s deputy foreign minister claimed this weekend that the country has been the target of…

17 hours ago

British retailer JD Sports reveals 2-year-old intrusion affecting data of 10 million customers

British sportswear retailer JD Sports announced Monday that data belonging to approximately 10 million unique…

17 hours ago

How Ukraine’s Cyber Police fights fraud, scams, and attacks on critical infrastructure

Editor’s note: Ukraine’s Cyber Police had a busy year in 2022. The law enforcement agency…

1 day ago