GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps.
As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2.
Versions 1.63.0 and 1.63.1 of 1.63.0 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a previous version (1.60.0) of the source code editor. Atom was officially discontinued in December 2022. GitHub Desktop for Windows is not affected.
The Microsoft-owned subsidiary said it detected unauthorized access to a set of repositories, including those from deprecated GitHub-owned organizations, used in the planning and development of GitHub Desktop and Atom on December 7, 2022.
The repositories are said to have been cloned a day before by a compromised personal access token (PAT) associated with a machine account. None of the repositories contained customer data, and the compromised credentials have since been revoked. GitHub did not disclose how the token was breached.
“Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows,” GitHub’s Alexis Wales said. “We have no evidence that the threat actor was able to decrypt or use these certificates.”
It’s worth pointing out that a successful decryption of the certificates could permit an adversary to sign trojanized applications with these certificates and pass them off as originating from GitHub.
The three compromised certificates – two Digicert code signing certificates used for Windows and one Apple Developer ID certificate – are set for revocation on February 2, 2023.
The code hosting platform also said it released a new version of the Desktop app on January 4, 2023, that’s signed with new certificates that were not exposed to the threat actor. It further emphasized that no unauthorized changes were made to the code in these repositories.