GitHub says unknown attackers have stolen encrypted code-signing certificates for its Desktop and Atom applications after gaining access to some of its development and release planning repositories.
So far, GitHub has found no evidence that the password-protected certificates (one Apple Developer ID certificate and two Digicert code signing certificates used for Windows apps) were used for malicious purposes.
“On December 6, 2022, repositories from our atom, desktop, and other deprecated Github-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account,” GitHub said.
“Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.”
The company added that there is no risk to GitHub.com services due to this security breach and that no unauthorized changes were made to the affected projects.
However, the compromised certificates will be revoked to invalidate the GitHub Desktop for Mac and Atom versions signed using them.
GitHub said that the three certificates would be revoked on February 2, 2023:
- One Digicert certificate expired on January 4, 2023 and the second will expire on February 1, 2023. Once expired, these certificates can no longer be used to sign code. While these will not pose an ongoing risk, as a preventative measure, we will revoke them on February 2.
- The Apple Developer ID certificate is valid until 2027. We are working with Apple to monitor for any new executable files (like applications) signed with the exposed certificate until the certificate is revoked on February 2.
GitHub has removed the latest two Atom app versions (1.63.0-1.63.1) from the releases page and will revoke the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1 on February 2.
Once the certificates are revoked, all app versions signed with the compromised certificates will no longer function.
“On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor,” GitHub added.