Codecov hackers accessed Monday.com source code, which affected a number of companies.
Monday.com is a popular workflow management platform, widely used by project managers, sales and CRM professionals, marketing teams, and various other organizational departments. Many of its prominent customers include Uber, BBC Studios, Adobe, Universal, Hulu, L’Oreal, Coca-Cola, and Unilever.
How Codecov hackers accessed Monday.com source code?
Earlier popular code coverage tool Codecov was compromised via a supply chain attack that lasted for 2 months.
The hackers have managed to alter the legit Codecov Bash Uploader tool. They managed to withdraw the environment variables from Codecov customers’ CI/CD environments. Which contained sensitive information such as keys, tokens, and credentials.
Codecov attackers were able to exploit the credentials from the altered Bash Uploader, to further breach hundreds of customer networks.
How has this affected Monday.com?
Monday.com disclosed to its Codecov customers that were impacted by the Codecov supply-chain attack.
Monday.com filed an F1 form this week with the U.S. Securities and Exchange Commission (SEC) for Monday.com’s proposed Initial Public Offering (IPO). The company shared details on the extent of the Codecov breach.
Investigations suggest the bad actors were able to get access to the read-only copy of the source code. Though the company has no evidence that the source code was tampered with by the attackers, or that any of its products are impacted.
According to the company, “the attacker did access a file containing a list of certain URLs pointing to publicly broadcasted customer forms and views hosted on our platform and we have contacted the relevant customers to inform them how to regenerate these URLs.”
It is still unclear if Monday.com customers have been impacted by the incident, but further investigations are being carried out.
Monday.com prior to the disclosure made in the SEC filing this week, stated they had removed Codecov’s access to their environment and discontinued the service’s use altogether in a blog post.
Impact of the Codecov breach on Monday.com customers
Codecov breach has not just impacted Monday.com. It has been two months since the Codecov supply chain attack and the full extent of the attack is still unknown. New revelations are being made as we progress with the findings.
- Rapid 7 another victim of this attack said some of their source code repositories and credentials were accessed by Codecov attackers.
- HashiCorp earlier last month disclosed their GPG private key had been exposed in the attack. The key is used for signing and verifying software releases, and therefore had to be rotated.
- Twilio, a cloud communications platform, Confluent, cloud services provider, and Coalition, the insurance company also reported Codecov hackers accessing their private repositories.
After these incidents, many of the Codecov clients have rotated their credentials, irrespective of being impacted or not.
The Bash Uploader was used by thousands of open source projects prior to the breach spotted by Codecov.
The Codecov breach is treated similarly to the SolarWinds supply chain attack this brings the U.S. federal investigators into the picture to investigate the full impact of the breach.
Codecov started sending additional notifications to the impacted customers last month and disclosed a thorough list of Indicators of Compromise (IOCs). This included the attacker IP addresses associated with this supply-chain attack.
How to stay protected from the Codecov Breach?
- Codecov users should scan their CI/CD environments and networks for any signs of compromise.
- They are also advised to rotate any and all secrets that may have been exposed.