COMMUNICATIONS & PR OFFICER

Monday, GitHub announced that unidentified threat actors were able to exfiltrate encrypted code signing certificates for certain versions of the GitHub Desktop for Mac and Atom applications.

Therefore, the company is taking the precautionary action of canceling the exposed certificates. These versions of GitHub Desktop for Mac have been rendered invalid: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2.

Atom 1.63.0 versions 1.63.0 and 1.63.1 will stop functioning on February 2, 2023, prompting users to downgrade to an earlier version (1.60.0) of the source code editor. Atom was discontinued officially in December 2022. The Windows version of GitHub Desktop is not affected.

How Did the Breach Happen?

A hacked personal access token (PAT) associated with a machine account is reported to have cloned the repositories the day before. The compromised credentials were revoked after none of the repositories had consumer data. GitHub did not specify how the token was compromised.

Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. (…) We have no evidence that the threat actor was able to decrypt or use these certificates.

Source

It’s worth noting that successful certificate decoding could allow an attacker to sign trojanized programs with these certificates and pass them off as coming from GitHub, explains The Hacker News.

The Impact on GitHub.com

We investigated the contents of the compromised repositories and found no impact to GitHub.com or any of our other offerings outside of the specific certificates noted above. No unauthorized changes were made to the code in these repositories.

Source

On February 2, 2023, the three compromised certificates — two Digicert code signing certificates used for Windows and one Apple Developer ID certificate – will be revoked.

The code hosting platform also reported that on January 4, 2023, it delivered an updated version of the Desktop app signed with fresh certificates that did not leave the app vulnerable to the threat actor.

The company’s full announcement on the subject is available here.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

All GitHub Users Will Need to Enable 2FA by the End of 2023

Top 10 Attack Vectors Most Exploited by Hackers Revealed

What Is Data Leakage?

What Is a Data Breach and How to Prevent It

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP