Supply chain, Identity
GitHub code signing certificates compromised, to be revoked
BleepingComputer reports that GitHub had its encrypted code-signing certificates for its Atom and Desktop applications stolen following unauthorized access to certain development and release planning repositories.
Threat actors leveraged a compromised Personal Access Token related to a machine account to clone Atom, Desktop, and other deprecated GitHub-owned organizations on Dec. 6, while compromised credentials were revoked the day after, according to GitHub, which noted the lack of evidence suggesting malicious use of the stolen certificates. GitHub services are also unaffected by the incident.
Meanwhile, GitHub noted that it will be revoking two Digicert certificates with Jan. 4 and Feb. 1 expiration dates, as well as an Apple Developer ID certificate valid until 2027 by Feb. 2.
"On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor. We highly recommend updating Desktop and/or downgrading Atom before February 2 to avoid disruptions in your workflows," said GitHub.
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds