Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

GitHub Revokes Code Signing Certificates Following Cyberattack

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Code hosting platform GitHub on Monday announced the revocation of three digital certificates used for the GitHub Desktop and Atom applications.

The three certificates were stolen on December 6, 2022, after an unauthorized third-party used a compromised Personal Access Token (PAT) for a machine account to clone repositories from Atom, GitHub Desktop, and other deprecated GitHub-owned organizations. GitHub revoked the compromised credentials on December 7. 

“After a thorough investigation, we have concluded there was no risk to GitHub.com services as a result of this unauthorized access and no unauthorized changes were made to these projects,” the company says.

According to GitHub, the cloned repositories did not contain customer data, but several encrypted code signing certificates for use via Actions in GitHub Desktop and Atom release workflows were stored in them.

“The certificates were password-protected and we have no evidence of malicious use. As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications,” GitHub says.

The Microsoft-owned platform explains that the certificate revocation will invalidate some versions of GitHub Desktop for Mac and Atom, but will have no impact on GitHub Desktop for Windows.

Specifically, GitHub Desktop for Mac versions 3.0.2 to 3.1.2 and Atom versions 1.63.0 and 1.63.1 will stop working. GitHub Desktop for Mac users will need to update to the latest release, while Atom users will need to download a previous Atom version (Atom versions 1.63.0-1.63.1 have already been removed from the releases page).

“On Thursday, February 2, 2023, we will revoke the Mac & Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1. Once revoked, all versions signed with these certificates will no longer function,” GitHub announced.

Advertisement. Scroll to continue reading.

Because the stolen certificates do not appear to have been decrypted by the threat actor, they do not pose a risk to the existing GitHub Desktop and Atom installations but, if decrypted, they could allow the attackers to sign unofficial applications and pretend they were released by GitHub.

The impacted certificates include two Digicert certificates for Windows and one Apple Developer ID certificate. One Digicert certificate expired on January 4, while the other will expire on February 1. The Apple Developer ID certificate is valid until 2027.

“On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor,” GitHub notes.

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: GitHub Introduces Automatic Vulnerability Scanning Feature

Related: GitHub Announces Free Secret Scanning, Mandatory 2FA

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...