GitHub recalls certificates of code signatures stolen when hacking repositories

One of the representatives of Github stated , that unknown attackers stole encrypted certificates of code signatures for Github Desktop and Atom Editor programs after receiving access to some repositories.

Until now, GITHUB has not found evidence that the certificates protected by password (one certificate of Apple Developer ID and two certificates of the digicert code used for Windows) were used for malicious purposes.

“December 6, 2022, our repositories of Atom, Desktop and some other programs belonging to GitHub were copied using compromised personal access token (PAT). After the discovery of December 7, 2022, our team immediately revoked compromised accounting and began an investigation of a potential influences on customers and internal systems. As it turned out, none of the raised repositories contained these customers, ”GitHub said.

The company added that there is no risk to Github.com because of this safety violation. No unauthorized changes were made to the affected projects. However, compromised certificates will be withdrawn to make the GitHub Desktop and Atom Editor.

signed with their help.

GITHUB said that 3 certificates will be revoked on February 2, 2023:

  • The validity of one Digicert certificate has expired on January 4, 2023, and the second validity expires on February 1, 2023. After expiration, these certificates can no longer be used to sign code. Although they will not represent risk, the company will call them on February 2 as a preventive measure.
  • The Apple Developer ID certificate is valid until 2027. GitHub interacts closely with Apple to track any new executable files signed using an open certificate until its review on February 2.

GITHUB deleted the last two versions of Atom (1.63.0-1.63.1) from the page of the releases and on February 2 can be canceled certificates of the Mac and Windows signatures used to sign the versions of table applications 3.0.2-3.1.2 and Atom 1.63.0- 1.63.1. After recalling certificates, all versions of applications signed by compromised certificates will no longer function.

“January 4, 2023, we published a new version of Desktop. This version was signed by new certificates that were not exposed to attackers. We strongly recommend updopes (update desktop 3.1.5) and/or Install an older version of atom (1.60.0) . This must be done before February 2 to avoid failures in your work processes, ”added to Github.

/Media reports cited above.