GitHub said that unknown hackers have stolen encrypted code signing certificates for its Desktop and Atom applications after gaining access to a set of repositories of the afore mentioned apps.
The incident took place on December 6, 2022, the company said. The certificates were password-protected, and, so far, GitHub has no evidence that the certs were decrypted or maliciously used. If decrypted, the threat actor could sign unofficial applications with these certificates and pretend that they were officially created by GitHub.
“On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account. Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data,” GitHub said in a security advisory.
As a preventive measure the company has revoked the exposed certificates.
“On Thursday, February 2, 2023, we will revoke the Mac & Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1. Once revoked, all versions signed with these certificates will no longer function,” the company warned.
GitHub Desktop for Windows is said to be not affected.