Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

GitHub Revokes Code Signing Certificates Following Cyberattack

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Code hosting platform GitHub on Monday announced the revocation of three digital certificates used for the GitHub Desktop and Atom applications.

The three certificates were stolen on December 6, 2022, after an unauthorized third-party used a compromised Personal Access Token (PAT) for a machine account to clone repositories from Atom, GitHub Desktop, and other deprecated GitHub-owned organizations. GitHub revoked the compromised credentials on December 7. 

“After a thorough investigation, we have concluded there was no risk to GitHub.com services as a result of this unauthorized access and no unauthorized changes were made to these projects,” the company says.

According to GitHub, the cloned repositories did not contain customer data, but several encrypted code signing certificates for use via Actions in GitHub Desktop and Atom release workflows were stored in them.

“The certificates were password-protected and we have no evidence of malicious use. As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications,” GitHub says.

The Microsoft-owned platform explains that the certificate revocation will invalidate some versions of GitHub Desktop for Mac and Atom, but will have no impact on GitHub Desktop for Windows.

Specifically, GitHub Desktop for Mac versions 3.0.2 to 3.1.2 and Atom versions 1.63.0 and 1.63.1 will stop working. GitHub Desktop for Mac users will need to update to the latest release, while Atom users will need to download a previous Atom version (Atom versions 1.63.0-1.63.1 have already been removed from the releases page).

“On Thursday, February 2, 2023, we will revoke the Mac & Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1. Once revoked, all versions signed with these certificates will no longer function,” GitHub announced.

Because the stolen certificates do not appear to have been decrypted by the threat actor, they do not pose a risk to the existing GitHub Desktop and Atom installations but, if decrypted, they could allow the attackers to sign unofficial applications and pretend they were released by GitHub.

The impacted certificates include two Digicert certificates for Windows and one Apple Developer ID certificate. One Digicert certificate expired on January 4, while the other will expire on February 1. The Apple Developer ID certificate is valid until 2027.

“On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor,” GitHub notes.

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Related: GitHub Announces Free Secret Scanning, Mandatory 2FA

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.