GitHub stated unknown intruders gained unauthorized entry to a few of its code repositories and stole code-signing certificates for 2 of its desktop functions: Desktop and Atom.
Code-signing certificates place a cryptographic stamp on code to confirm it was developed by the listed group, which on this case is GitHub. If decrypted, the certificates may enable an attacker to signal unofficial variations of the apps that had been maliciously tampered with and move them off as authentic updates from GitHub. Present variations of Desktop and Atom are unaffected by the credential theft.
“A set of encrypted code signing certificates had been exfiltrated; nevertheless, the certificates had been password-protected and we have now no proof of malicious use,” the corporate wrote in an advisory. “As a preventative measure, we’ll revoke the uncovered certificates used for the GitHub Desktop and Atom functions.”
The revocations, which shall be efficient on Thursday, will trigger sure variations of the apps to cease working. These apps are:
GitHub Desktop for Mac with the next variations:
- 3.1.2
- 3.1.1
- 3.1.0
- 3.0.8
- 3.0.7
- 3.0.6
- 3.0.5
- 3.0.4
- 3.0.3
- 3.0.2
Atom:
Desktop for Home windows is unaffected.
On January 4, GitHub printed a brand new model of the Desktop app that’s signed with new certificates that weren’t uncovered to the risk actor. Customers of Desktop ought to replace to this new model.
One compromised certificates expired on January 4, and one other is about to run out on Thursday. Revoking these certificates supplies safety in the event that they had been used earlier than expiration to signal malicious updates. With out the revocation, such apps would move the signature test. The revocation has the impact of creating all code fail the signature test, regardless of when it was signed.
A 3rd affected certificates, an Apple Developer ID certificates, isn’t set to run out till 2027. GitHub will revoke this certificates on Thursday as properly. Within the meantime, GitHub stated, “We’re working with Apple to observe for any new executable information (like functions) signed with the uncovered certificates.”
On December 6, GitHub stated, the risk actor used a compromised private entry token (PAT) to clone repositories for Desktop, Atom, and different deprecated GitHub-owned organizations. GitHub revoked the PAT a day later after discovering the breach. Not one of the cloned repositories contained buyer knowledge. The advisory did not clarify how the PAT was compromised.
Included within the repositories had been “a number of encrypted code signing certificates” GitHub makes use of to signal releases of the Desktop and Atom apps. Clients should not have direct entry. There’s no proof that the risk actor may decrypt or use any of the certificates.
“We investigated the contents of the compromised repositories and located no impression to GitHub.com or any of our different choices outdoors of the precise certificates famous above,” the advisory acknowledged. “No unauthorized adjustments had been made to the code in these repositories.”
