Although attackers exfiltrated a set of encrypted code-signing certificates, these were password-protected, so there is no possibility of malicious use.
GitHub revealed that on December 7th, 2022, hackers had gained unauthorized access to several of its code repositories and stolen code-signing certificates for two of its desktop apps:
Desktop. The repositories were used in the planning and development of these applications.
A further probe led to the conclusion that GitHub’s services were not at risk, and no unauthorized changes were made to these projects. Although attackers exfiltrated a set of encrypted code-signing certificates, these were password-protected, so there is no possibility of malicious use.
The repositories were cloned one day prior by a compromised PAT (personal access token) associated with a machine account. GitHub did not reveal how the token was breached. Alexis Wales from GitHub stated in a blog post:
“Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. We have no evidence that the threat actor was able to decrypt or use these certificates.”GitHub
GitHub has decided to revoke the exposed certificates used for Atom and Desktop applications. The revocations will be effective this Thursday and prevent some impacted versions of these apps from working. Revoking these certificates will render some versions of GitHub Desktop for Mac and Atom invalid; however, current versions of Desktop and Atom are unaffected by this theft.
For your information, code-signing certificates place a cryptographic stamp on the code to verify that the enlisted organization, i.e., GitHub, has developed it. If it gets decrypted, the certificates will allow an attacker to sign the app’s unofficial version, which has already been tampered with and pass them off as official updates from GitHub.
Affected apps include the following versions of GitHub Desktop for Mac:
The following versions of GitHub Atom have been affected.
It is worth noting that GitHub Desktop for Windows is not affected by this credential theft. On January 4, GitHub published a new version of its Desktop app, which was signed with new certificates that weren’t exposed to the attacker(s). GitHub Desktop users should upgrade to the latest version.
MORE GITHUB SECURITY NEWS
- GitHub: Hackers Stole OAuth Access Tokens to Target Orgs
- GitHub Attack Allowed Hackers to Steal Okta’s Source Code
- GitHub fixes vulnerability that exposed repositories to attackers
- GitHub Abused to Spread Malicious PyPI Packages in Image Files
- Hackers spoof commit metadata to create false GitHub repositories