Cybersecurity firm Rapid7 on Thursday revealed that unidentified actors improperly managed to pay money for a small portion of its supply code repositories within the aftermath of the software program provide chain compromise concentrating on Codecov earlier this yr.
“A small subset of our supply code repositories for inner tooling for our [Managed Detection and Response] service was accessed by an unauthorized celebration outdoors of Rapid7,” the Boston-based agency said in a disclosure. “These repositories contained some inner credentials, which have all been rotated, and alert-related knowledge for a subset of our MDR clients.”
On April 15, software program auditing startup Codecov alerted clients that its Bash Uploader utility had been contaminated with a backdoor as early as January 31 by unknown events to achieve entry to authentication tokens for varied inner software program accounts utilized by builders. The incident did not come to gentle till April 1.
“The actor gained entry due to an error in Codecov’s Docker picture creation course of that allowed the actor to extract the credential required to switch our Bash Uploader script,” the corporate noted, including the adversary carried out “periodic, unauthorized alterations” to the code that enabled them to exfiltrate data saved in its customers’ steady integration (CI) environments to a third-party server.
Rapid7 reiterated there isn’t any proof that different company techniques or manufacturing environments have been accessed, or that any malicious modifications have been made to these repositories. The corporate additionally added its use of the Uploader script was restricted to a single CI server that was used to check and construct some inner instruments for its MDR service.
As a part of its incident response investigation, the safety agency stated it notified a choose variety of clients who might have been impacted by the breach. With this improvement, Rapid7 joins the likes of HashiCorp, Confluent, and Twilio who’ve publicly confirmed the safety occasion up to now.
Codecov clients who’ve used the Bash Uploaders between January 31, 2021 and April 1, 2021 are really helpful to re-roll all of their credentials, tokens, or keys positioned within the setting variables of their CI processes.