GitHub hit by hackers; code signing certificates for GitHub Desktop and Atom applications stolen

GitHub has issued a warning about "unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom" in a hack that took place back in December.

Users are being advised to ensure that they install the latest updates for the affected software, but there is currently no suggestion that GitHub.com has been impacted. With the attackers having stolen code signing certificates, GitHub is revoking the certificates for some versions of Atom and GitHub Desktop on February 2, so users should update before this date.

See also:

• Microsoft is working on a major Edge update known as Phoenix -- and you can try one of the best features right now!
• Windows' Linux-style package manager WinGet now supports zip files
• Do you trust Microsoft enough to use Windows 11's new 'Fix problems using Windows Update' feature?

Revealing some details of the attack, GitHub's Alexis Wales says: "A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected and we have no evidence of malicious use. As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom".

Wales continues:

On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account. Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.

However, several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. We have no evidence that the threat actor was able to decrypt or use these certificates.

GitHub says that the following version of These versions of GitHub Desktop for Mac will stop working on February 2., but points out that GitHub Desktop for Windows is not affected:

• 3.1.2
• 3.1.1
• 3.1.0
• 3.0.8
• 3.0.7
• 3.0.6
• 3.0.5
• 3.0.4
• 3.0.3
• 3.0.2

Additionally, the company warns that Atom versions 1.63.0 and 1.63.1 will stop working on February 2, and that in order to keep using Atom, users will need to download a previous Atom version.

More information is available over on the GitHub blog.

Image credit: rafapress / depositphotos