GitHub Confirms Signing Certificates Stolen in Cyber-Attack, Revokes Them

Written by

GitHub confirmed on Monday that threat actors stole three digital certificates used for its Desktop and Atom applications during a cyber-attack in December 2022.

Writing in a blog post, the company also said that after investigating the accident, it concluded there was no risk to services and no unauthorized changes to the projects.

“A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected, and we have no evidence of malicious use,” reads the post by Alexis Wales, GitHub’s vice president of security operations.

“As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom.”

More specifically, several versions of GitHub Desktop for Mac between 3.0.2 and 3.1.2 will stop working on February 02, while GitHub Desktop for Windows will not be affected. As for the Atom text editor, versions 1.63.0 and 1.63.1 will stop working.

To continue using the software solutions, GitHub urged Mac users to upgrade the GitHub Desktop version to the latest release. In contrast, Atom users must download a previous program version to keep working on it.

“The security and trustworthiness of GitHub and the broader developer ecosystem is our highest priority,” Wales added. “We recommend users take action on the above recommendations to continue using GitHub Desktop and Atom.”

According to Kevin Bocek, VP of security strategy and threat intelligence at Venafi, revoking the certificates is a sensible move, as threat actors may use them to masquerade their software as coming from GitHub.

“In the wrong hands, these machine identities could be used to pose as trusted [...]. This is the powerful weapon that can enable supply chain attacks on other software developers and unknown possible subsequent (or past) attacks,” Bocek told Infosecurity in an email.

“To protect against events such as these, which are becoming increasingly common, security engineering teams must deploy a control plane for automating machine identity management.”

The GitHub disclosure comes weeks after the company introduced a new feature to set up automatic code scanning on repositories.

What’s hot on Infosecurity Magazine?