Security News

Rapid7 Source Code Breached in Codecov Supply-Chain Attack
2021-05-14 00:02

Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositories for internal tooling for our service was accessed by an unauthorized party outside of Rapid7," the Boston-based firm said in a disclosure.

Rapid7 source code, credentials accessed in Codecov supply-chain attack
2021-05-13 19:56

US cybersecurity firm Rapid7 has disclosed that some source code repositories were accessed in a security incident linked to the supply-chain attack that recently impacted customers of the popular Codecov code coverage tool. Only internal credentials and tooling source code accessed.

Rapid7 Source Code Exposed in Codecov Supply Chain Attack
2021-05-13 18:59

Rapid7 says unauthorized third-party accessed source code, customer data during Codecov supply chain breach. Enterprise security vendor Rapid7 says it was among the victims of the Codecov software supply chain attack and warned Thursday that data for a subset of its customers was accessed in the breach.

3 areas of implicitly trusted infrastructure that can lead to supply chain compromises
2021-05-13 05:30

Each one of these supply chain attacks targeted a different piece of implicitly trusted infrastructure-infrastructure that you may or not be paying attention to as a potential target in your organization. Package squatting via software package repositories.

HackerOne partners with SecurityScorecard to evaluate corporate and supply chain cyber risk
2021-05-12 23:15

HackerOne and SecurityScorecard announced an integrated solution that uses hacker-powered security signals and data as a leading indicator for evaluating corporate and supply chain cyber risk. By seamlessly integrating the HackerOne API into the SecurityScorecard platform, users will now be able to showcase their bug bounty and vulnerability disclosure efforts in their scorecards and gain visibility into how their suppliers and partners are deploying these programs within their own environments.

Twilio, HashiCorp Among Codecov Supply Chain Hack Victims
2021-05-10 14:07

The massive blast radius from the Codecov supply chain attack remains shrouded in mystery as security teams continue to assess the fallout from the breach but a handful of victims are starting to publicly acknowledge possible exposure of sensitive developer secrets. The stealth software supply chain compromise of the Codecov Bash Uploader went undetected since January this year and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.

S3 Ep31: Apple zero-days, Flubot scammers and PHP supply chain bug [Podcast]
2021-05-06 18:28

We look into Apple's recent emergency updates that closed off four in-the-wild browser bugs. We explain how the infamous "Flubot" home delivery scam works and how to stop it.

Twilio discloses impact from Codecov supply-chain attack
2021-05-04 16:39

Cloud communications company Twilio has now disclosed that it was impacted by the recent Codecov supply-chain attack in a small capacity. Today, cloud communications and VoIP platform Twilio has announced that it was impacted by the Codecov supply-chain attack.

PHP community sidesteps its third supply chain attack in three years
2021-04-30 18:37

Supply chain researcher Max Justicz noticed that he could upload new PHP packages that would trick the Packagist system into running commands of his choice, rather than simply dowloading and publishing his submission. The 2018 exploit involved simply swapping out a URL for a system command, and instead of Composer downloading data from a URL, it would inadvertently run the command inserted where the URL was supposed to be.

Codecov starts notifying customers affected by supply-chain attack
2021-04-30 06:43

As of a few hours ago, Codecov has started notifying the maintainers of software repositories affected by the recent supply-chain attack. Codecov has now disclosed multiple IP addresses as IOCs that were used by the threat actors to collect sensitive information from the affected customers.