Contents:
Monday, GitHub announced that unidentified threat actors were able to exfiltrate encrypted code signing certificates for certain versions of the GitHub Desktop for Mac and Atom applications.
Therefore, the company is taking the precautionary action of canceling the exposed certificates. These versions of GitHub Desktop for Mac have been rendered invalid: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2.
Atom 1.63.0 versions 1.63.0 and 1.63.1 will stop functioning on February 2, 2023, prompting users to downgrade to an earlier version (1.60.0) of the source code editor. Atom was discontinued officially in December 2022. The Windows version of GitHub Desktop is not affected.
How Did the Breach Happen?
A hacked personal access token (PAT) associated with a machine account is reported to have cloned the repositories the day before. The compromised credentials were revoked after none of the repositories had consumer data. GitHub did not specify how the token was compromised.
Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. (…) We have no evidence that the threat actor was able to decrypt or use these certificates.
It’s worth noting that successful certificate decoding could allow an attacker to sign trojanized programs with these certificates and pass them off as coming from GitHub, explains The Hacker News.
The Impact on GitHub.com
We investigated the contents of the compromised repositories and found no impact to GitHub.com or any of our other offerings outside of the specific certificates noted above. No unauthorized changes were made to the code in these repositories.
On February 2, 2023, the three compromised certificates — two Digicert code signing certificates used for Windows and one Apple Developer ID certificate – will be revoked.
The code hosting platform also reported that on January 4, 2023, it delivered an updated version of the Desktop app signed with fresh certificates that did not leave the app vulnerable to the threat actor.
The company’s full announcement on the subject is available here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.