[ad_1]
GitHub revealed Monday that an unknown attacker has stolen encrypted code-signing certificates associated with some versions of GitHub Desktop for Mac and the Atom app.
As a result, the company is taking steps to revoke published certificates out of an abundance of caution. The following versions of GitHub Desktop for Mac have been disabled: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1 , and 3.1.2.
Atom versions 1.63.0 and 1.63.1 of 1.63.0 are also scheduled to stop working on February 2, 2023, requiring users to downgrade to the previous version of Atom (1.60.0) . GitHub Desktop for Windows is not affected.
A Microsoft-owned subsidiary said on December 7, 2022, it detected unauthorized access to a series of deprecated repositories used to plan and develop GitHub Desktop and Atom.
The repository was allegedly cloned the day before by a compromised Personal Access Token (PAT) tied to the machine account. None of the repositories contained customer data and the compromised credentials were subsequently revoked. GitHub has not disclosed how the token was compromised.
“Several cryptographic code-signing certificates were stored in these repositories and used via actions in the GitHub Desktop and Atom release workflows,” said Alexis Wales of GitHub. “There is no evidence that an attacker was able to decrypt or use these certificates.”
Note that if the certificates are successfully decrypted, an adversary could use those certificates to sign a trojanized application, disguising it as originating from GitHub.
The three compromised certificates (two Digicert code signing certificates and one Apple Developer ID certificate used for Windows) are scheduled to expire on February 2, 2023.
The code hosting platform also said it released a new version of its desktop app on January 4, 2023. It is signed with a new certificate that has not been published to the attacker. Additionally, they emphasized that no unauthorized changes were made to the code in these repositories.
[ad_2]
Source link
