Monday.com has recently disclosed the impact of the Codecov supply-chain attack that affected multiple companies.
Monday.com is an online workflow management platform used by project managers, sales and CRM professionals, marketing teams, and various other organizational departments.
The platform’s customers include prominent names like Uber, BBC Studios, Adobe, Universal, Hulu, L’Oreal, Coca-Cola, and Unilever.
As reported by BleepingComputer last month, popular code coverage tool Codecov had been a victim of a supply-chain attack that lasted for two months.
During this two-month period, threat actors had modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments.
Using the credentials harvested from the tampered Bash Uploader, Codecov attackers reportedly breached hundreds of customer networks.
Monday.com source code accessed in Codecov attack
Codecov customer Monday.com has recently announced that it was impacted by the Codecov supply-chain attack.
In an F-1 form filed this week with the U.S. Securities and Exchange Commission (SEC) for Monday.com’s proposed Initial Public Offering (IPO), the company shared details on the extent of the Codecov breach.
After their investigation into the Codecov breach, Monday.com found that unauthorized actors had gained access to a read-only copy of their source code.
However, the company states, to this date, there is no evidence that the source code was tampered with by the attackers, or that any of its products are impacted.
Additionally, “the attacker did access a file containing a list of certain URLs pointing to publicly broadcasted customer forms and views hosted on our platform and we have contacted the relevant customers to inform them how to regenerate these URLs,” states the company.
At this time, there is also no indication that Monday.com customers’ data was affected by this incident, although the company continues to investigate.
Prior to the disclosure made in the SEC filing this week, Monday.com had previously stated that following the Codecov incident, they removed Codecov’s access to their environment and discontinued the service’s use altogether:
“Upon learning of this issue, we took immediate mitigation steps, including revoking Codecov access, discontinuing our use of Codecov’s service, rotating keys for all of monday.com’s production and development environments, and retaining leading cybersecurity forensic experts to assist with our investigation,” said Monday.com’s security team in last week’s blog post.