Rapid7 Admits Codecov Trouble but Says Code Hasn’t Been Affected

• Rapid7 says they were impacted by Codecov’s supply chain trouble, but their product code wasn’t affected.
• This means the impact is minimal, and it mostly concerns internal systems and employee accounts.
• The impact of Codecov is still unraveling as thousands of high-profile customers carry out investigations.

Rapid7 has posted an announcement to inform the public about the fact that they have been affected by the Codecov supply chain hack that was discovered in April but assures that its code hasn’t been modified. The company took Codecov’s security notice seriously when it came out and immediately investigated the matter.

What they found was a partial compromise that mostly concerns their internal tooling for their MDR (Managed Detection and Response) service. Since Codecov wasn’t used on any CI servers used for product code, no malware could have trickled down the supply chain.

Codecov informed the world about a catastrophic supply chain hack affecting its “Bash Uploader” script, used by numerous high-profile companies out there. By the time this came out, the malicious actors already had 2.5 months of active exploitation under their belt, so the damage had already been done. The number of potentially affected entities was defined to be 19,000, including IBM and Hewlett Packard Enterprise.

The three points that sum up the results of Rapid7’s internal investigation are as follows:

1. A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7.
2. These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers.
3. No other corporate systems or production environments were accessed, and no unauthorized changes to these repositories were made.

If you are using any Rapid7 tools and if you have been confirmed by the company as impacted, you will be directly contacted with guidance on what to do next. If you are nervous about this and want to contact them now, you are advised to send an email to “[email protected]”.

Rapid7 offers cybersecurity and compliance solutions services, so its products are meant to help mitigate risks through penetration testing, vulnerability management, and IT operations in general. It is unfortunate that products in this category could have been used to introduce dire security risks, but this is the ironic way that the field works oftentimes.