GitHub says hackers cloned code-signing certificates in breached repository

GitHub mentioned unknown intruders gained unauthorized entry to a few of its code repositories and stole code-signing certificates for 2 of its desktop functions: Desktop and Atom.

Code-signing certificates place a cryptographic stamp on code to confirm it was developed by the listed group, which on this case is GitHub. If decrypted, the certificates might enable an attacker to signal unofficial variations of the apps that had been maliciously tampered with and cross them off as official updates from GitHub. Present variations of Desktop and Atom are unaffected by the credential theft.

“A set of encrypted code signing certificates had been exfiltrated; nevertheless, the certificates had been password-protected and we have now no proof of malicious use,” the corporate wrote in an advisory. “As a preventative measure, we are going to revoke the uncovered certificates used for the GitHub Desktop and Atom functions.”

The revocations, which shall be efficient on Thursday, will trigger sure variations of the apps to cease working. These apps are:

GitHub Desktop for Mac with the next variations:

• 3.1.2
• 3.1.1
• 3.1.0
• 3.0.8
• 3.0.7
• 3.0.6
• 3.0.5
• 3.0.4
• 3.0.3
• 3.0.2

Atom:

Desktop for Home windows is unaffected.

On January 4, GitHub printed a brand new model of the Desktop app that’s signed with new certificates that weren’t uncovered to the risk actor. Customers of Desktop ought to replace to this new model.

One compromised certificates expired on January 4, and one other is ready to run out on Thursday. Revoking these certificates supplies safety in the event that they had been used earlier than expiration to signal malicious updates. With out the revocation, such apps would cross the signature test. The revocation has the impact of constructing all code fail the signature test, irrespective of when it was signed.

A 3rd affected certificates, an Apple Developer ID certificates, isn’t set to run out till 2027. GitHub will revoke this certificates on Thursday as effectively. Within the meantime, GitHub mentioned, “We’re working with Apple to observe for any new executable information (like functions) signed with the uncovered certificates.”

On December 6, GitHub mentioned, the risk actor used a compromised private entry token (PAT) to clone repositories for Desktop, Atom, and different deprecated GitHub-owned organizations. GitHub revoked the PAT a day later after discovering the breach. Not one of the cloned repositories contained buyer knowledge. The advisory did not clarify how the PAT was compromised.

Included within the repositories had been “a number of encrypted code signing certificates” clients might use when working with Desktop or Atom. There’s no proof that the risk actor might decrypt or use any of the certificates.

“We investigated the contents of the compromised repositories and located no affect to GitHub.com or any of our different choices outdoors of the precise certificates famous above,” the advisory acknowledged. “No unauthorized modifications had been made to the code in these repositories.”