Rapid7 has posted an announcement to inform the public about the fact that they have been affected by the Codecov supply chain hack that was discovered in April but assures that its code hasn’t been modified. The company took Codecov’s security notice seriously when it came out and immediately investigated the matter.
What they found was a partial compromise that mostly concerns their internal tooling for their MDR (Managed Detection and Response) service. Since Codecov wasn’t used on any CI servers used for product code, no malware could have trickled down the supply chain.
Codecov informed the world about a catastrophic supply chain hack affecting its “Bash Uploader” script, used by numerous high-profile companies out there. By the time this came out, the malicious actors already had 2.5 months of active exploitation under their belt, so the damage had already been done. The number of potentially affected entities was defined to be 19,000, including IBM and Hewlett Packard Enterprise.
The three points that sum up the results of Rapid7’s internal investigation are as follows:
If you are using any Rapid7 tools and if you have been confirmed by the company as impacted, you will be directly contacted with guidance on what to do next. If you are nervous about this and want to contact them now, you are advised to send an email to “[email protected]”.
Rapid7 offers cybersecurity and compliance solutions services, so its products are meant to help mitigate risks through penetration testing, vulnerability management, and IT operations in general. It is unfortunate that products in this category could have been used to introduce dire security risks, but this is the ironic way that the field works oftentimes.