
According to GitHub, an unknown intruder compromised part of the code repository and stole the code-signing certificates for two desktop applications, Desktop Application and Atom.
A code-signing certificate puts a cryptographic stamp on your code, confirming that it was developed by a listed organization (in this case, GitHub). Once the certificate is decrypted, an attacker could sign maliciously modified unofficial versions of the app and pass them along as legitimate updates from her GitHub. Current versions of Desktop and Atom are not affected by credential theft.
“A set of encrypted code-signing certificates has been leaked. However, the certificates are password-protected and there is no evidence of malicious use,” the company wrote in its advisory. , revokes the public certificate used for GitHub Desktop and Atom applications.”
The revocation, which takes effect Thursday, will prevent certain versions of the app from working. Those apps are:
GitHub Desktop for Mac for the following versions:
- 3.1.2
- 3.1.1
- 3.1.0
- 3.0.8
- 3.0.7
- 3.0.6
- 3.0.5
- 3.0.4
- 3.0.3
- 3.0.2
atom:
Windows desktops are not affected.
On January 4th, GitHub published a new version of the desktop app signed with a new certificate not disclosed to the attackers. Desktop users should update to this new version.
One of the compromised certificates is set to expire on January 4th and another is set to expire on Thursday. Revoking these certificates protects them from being used to sign malicious updates before they expire. Without revocation, such apps pass the signature check. Revocation has the effect that all code fails the signature check regardless of when it was signed.
The third certificate affected, the Apple Developer ID certificate, is set not to expire until 2027. GitHub will also revoke this certificate on Thursday. In the meantime, GitHub says, “We are working with Apple to monitor new executables (such as applications) signed with our public certificate.”
According to GitHub, on December 6, threat actors used compromised Personal Access Tokens (PATs) to clone Desktop, Atom, and repositories of other decommissioned GitHub-owned organizations. GitHub canceled his PAT a day after he discovered the infringement. The cloned repository did not contain any customer data. The advisory does not explain how the PAT was compromised.
The repository contained “several encrypted code-signing certificates” that customers could use when using Desktop or Atom. There is no evidence that an attacker can decrypt or use either certificate.
“We have investigated the contents of the compromised repository and found no impact on GitHub.com or any other services other than the specific certificate above,” the advisory said. “No unauthorized changes were made to the code in these repositories.”