May 18 · 4 min read
Codecov hackers gained access to Monday.com source code
Monday.com has recently disclosed that it was impacted by the Codecov supply-chain attack according to BleepingComputer. After their investigation into the Codecov breach, monday.com found that unauthorized actors had gained access to a read-only copy of their source code.
Monday.com is the latest victim of this attack which has already affected hundreds of companies including HashiCorp, Confluent, Twilio and Rapid7, and others.
The breach allowed a malicious third-party to alter a version of the bash uploader script to potentially export information subject to continuous integration (CI) to a third-party server, which according to Codecov, could potentially affect:
One of the main contributors to the weak security posture of development environments is the complexity and knowledge gap created by the number of tools and services taking part in this process. With more than a hundred CI/CD tools to choose from and hundreds of plugins and services connected to those tools, no wonder security teams are having a hard time grasping the amount of information and security requirements of these environments.
It is not rare to see a CI/CD pipeline which is built with 10 to 20 different tools and services, some are cloud services, some open-source tools, and a variety of plugins. It is impossible to manually keep track of this complexity, which might result in an exposure of your environment, code, secrets, and network through those tools and plugins’ vulnerabilities.
The DevOps tools’ sprawl continues as more and more companies introduce their DevOps products and services. Development teams take advantage of these new CI/CD tools and services to build their pipelines and enhance the process but by that they also increase the exposure of their pipeline to risks. Add to it the limited collaboration between development and security teams; and the lack of visibility and control over these services and there is no surprise that CISOs and application security managers look puzzled when asked about their CI/CD pipelines security.
The recent series of supply chain attacks affected tens of thousands of companies. Nowadays, CI/CD pipelines form the backbone of modern-day DevOps operations and as we see this trend continues, we cannot ignore the urgency in protecting customer’s development environments from these pervasive attacks.
The complexity and collaborative nature of these environments provide an easy target for attackers, who can take advantage of vulnerabilities and misconfigurations within pipeline plugins and services. By gaining access to the CI/CD pipelines attackers can hijack your updates, inject malicious code and get a backdoor to your and your customers’ environments.
The latest Codecov and SolarWinds attacks taught us two alarming facts:
Organizations must take proactive action to secure their software supply chain from such attacks and prevent attackers from using these backdoors to their environment. This requires taking into account the complexity of the development environments, the various 3rd party plugins, and services connected to it, and the sophisticated nature of today’s supply chain attacks.
Security and DevOps teams need to watch their pipeline dependencies closely to identify and respond to vulnerabilities and attacks against those addons services and tools.
Whenever a new service is connected to your pipeline, these services need to be checked and monitored constantly for any vulnerability or suspicious activity. Any suspicion should automatically trigger an alert to the appropriate stakeholders that need to verify the integrity of the service and ensure there is no risk associated with it.
The way Argon detect and prevent supply chain attacks like the one that happened to Codecov is through a multi-layered security approach:
Eran Orzel, Argon’s Chief Revenue Officer
Topics: Supply Chain Attack, Codecov breach, SolarWinds Sunburst attack, DevOps Pipeline Breach, DevOps, Codecov, DevSecOps, CI/CD Pipeline Security, CICD security best practices, Codecov leak
Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…
The relevance of DevSecOps has grown in the past years as companies solidify their move towards automating their software delivery…
What is Jenkins and it’s Logo about? Jenkins is the most widely-used CI/CD tool today. As the world moves from…