Rapid7 says attacker accessed its source code in Codecov supply chain hack

An unauthorized party accessed Rapid7 source code via the Codecov supply chain compromise, the cybersecurity company said Thursday, making it the latest confirmed victim known to be swept up in the attack.

Rapid7 said it made limited use of Codecov’s affected Bash Uploader tool, used to share code reports with the software auditing company, as part of its managed detection and response program. After conducting an internal investigation, Rapid7 determined to what degree any outsiders might have infiltrated Rapid7 repositories.

“A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7,” the company wrote in a blog post.

“We have contacted the small subset of customers who may be impacted by this incident to ensure they take appropriate steps to mitigate any potential risk,” the blog post continued. “Note: If you haven’t been contacted by us about this already, it is because you are not impacted by this incident.”

The repositories also contained some internal credentials, Rapid7 said.

Hackers have reportedly gained access to hundreds of networks belonging to Codecov customers. The Codecov hack — revealed in April — followed in a series of high-profile supply chain breaches in recent months, most notably those involving SolarWinds and Accellion.

Twilio also revealed last week it was part of the Codecov fallout. “Our subsequent investigation into the impact of this event found that a small number of email addresses had likely been exfiltrated by an unknown attacker as a result of this exposure,” the company said.

The Codecov incident is among a series that has prompted greater government attention on supply chain security. Addressing that complex problem is one of the Biden administration’s goals for an executive order it unveiled on Wednesday.