GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom.
Code-signing certificates place a cryptographic stamp on code to verify it was developed by the listed organization, which in this case is GitHub. If decrypted, the certificates could allow an attacker to sign unofficial versions of the apps that had been maliciously tampered with and pass them off as legitimate updates from GitHub. Current versions of Desktop and Atom are unaffected by the credential theft.
“A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected and we have no evidence of malicious use,” the company wrote in an advisory. “As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications.”
The revocations, which will be effective on Thursday, will cause certain versions of the apps to stop working. Those apps are:
GitHub Desktop for Mac with the following versions:
- 3.1.2
- 3.1.1
- 3.1.0
- 3.0.8
- 3.0.7
- 3.0.6
- 3.0.5
- 3.0.4
- 3.0.3
- 3.0.2
Atom:
- 1.63.1
- 1.63.0
Desktop for Windows is unaffected.
On January 4, GitHub published a new version of the Desktop app that’s signed with new certificates that were not exposed to the threat actor. Users of Desktop should update to this new version.
One compromised certificate expired on January 4, and another is set to expire on Thursday. Revoking these certificates provides protection if they were used before expiration to sign malicious updates. Without the revocation, such apps would pass the signature check. The revocation has the effect of making all code fail the signature check, no matter when it was signed.
A third affected certificate, an Apple Developer ID certificate, isn’t set to expire until 2027. GitHub will revoke this certificate on Thursday as well. In the meantime, GitHub said, “We are working with Apple to monitor for any new executable files (like applications) signed with the exposed certificate.”
On December 6, GitHub said, the threat actor used a compromised personal access token (PAT) to clone repositories for Desktop, Atom, and other deprecated GitHub-owned organizations. GitHub revoked the PAT a day later after discovering the breach. None of the cloned repositories contained customer data. The advisory didn’t explain how the PAT was compromised.
Included in the repositories were “several encrypted code signing certificates” customers could use when working with Desktop or Atom. There’s no evidence that the threat actor could decrypt or use any of the certificates.
“We investigated the contents of the compromised repositories and found no impact to GitHub.com or any of our other offerings outside of the specific certificates noted above,” the advisory stated. “No unauthorized changes were made to the code in these repositories.”