GitHub breach: attackers cloned code signing certificates

GitHub claims unknown attackers accessed its code repositories and stole certificates for GitHub Desktop and Atom applications.

GitHub, a popular hosting service for software development, notified users of an “unauthorized access” the company detected on December 7, 2022.

According to GitHub, the attack only affected repositories used in the planning and development of GitHub Desktop and Atom applications, and there’s no risk to services.

“A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected, and we have no evidence of malicious use,” GitHub said.

In theory, attackers could use stolen certificates to stamp malicious software as legitimate GitHub updates, bypassing safeguards. To prevent this from happening, the company will revoke exposed certificates on February 2, 2023.

According to GitHub’s statement, unknown attackers cloned repositories from GitHub Desktop and Atom using a “compromised Personal Access Token.”

“Several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. We have no evidence that the threat actor was able to decrypt or use these certificates,” GitHub said.

Users are advised to update the certificates before they are revoked to avoid any workflow disruption. The company has listed all versions of affected applications that need to be updated before February 2.

Leave a Comment

Your email address will not be published. Required fields are marked *