GitHub mentioned unknown intruders gained unauthorized entry to a few of its code repositories and stole code-signing certificates for 2 of its desktop purposes: Desktop and Atom.
Code-signing certificates place a cryptographic stamp on code to confirm it was developed by the listed group, which on this case is GitHub. If decrypted, the certificates may permit an attacker to signal unofficial variations of the apps that had been maliciously tampered with and move them off as legit updates from GitHub. Present variations of Desktop and Atom are unaffected by the credential theft.
“A set of encrypted code signing certificates had been exfiltrated; nevertheless, the certificates had been password-protected and now we have no proof of malicious use,” the corporate wrote in an advisory. “As a preventative measure, we’ll revoke the uncovered certificates used for the GitHub Desktop and Atom purposes.”
The revocations, which shall be efficient on Thursday, will trigger sure variations of the apps to cease working. These apps are:
GitHub Desktop for Mac with the next variations:
- 3.1.2
- 3.1.1
- 3.1.0
- 3.0.8
- 3.0.7
- 3.0.6
- 3.0.5
- 3.0.4
- 3.0.3
- 3.0.2
Atom:
Desktop for Home windows is unaffected.
On January 4, GitHub printed a brand new model of the Desktop app that’s signed with new certificates that weren’t uncovered to the menace actor. Customers of Desktop ought to replace to this new model.
One compromised certificates expired on January 4, and one other is about to run out on Thursday. Revoking these certificates offers safety in the event that they had been used earlier than expiration to signal malicious updates. With out the revocation, such apps would move the signature examine. The revocation has the impact of constructing all code fail the signature examine, irrespective of when it was signed.
A 3rd affected certificates, an Apple Developer ID certificates, isn’t set to run out till 2027. GitHub will revoke this certificates on Thursday as effectively. Within the meantime, GitHub mentioned, “We’re working with Apple to observe for any new executable information (like purposes) signed with the uncovered certificates.”
On December 6, GitHub mentioned, the menace actor used a compromised private entry token (PAT) to clone repositories for Desktop, Atom, and different deprecated GitHub-owned organizations. GitHub revoked the PAT a day later after discovering the breach. Not one of the cloned repositories contained buyer information. The advisory did not clarify how the PAT was compromised.
Included within the repositories had been “a number of encrypted code signing certificates” clients may use when working with Desktop or Atom. There’s no proof that the menace actor may decrypt or use any of the certificates.
“We investigated the contents of the compromised repositories and located no affect to GitHub.com or any of our different choices exterior of the particular certificates famous above,” the advisory said. “No unauthorized modifications had been made to the code in these repositories.”
