GitHub discovered illegal access to a collection of repositories on December 7, 2022. These repositories were used in the design and development of Atom and GitHub Desktop. A Personal Access Token (PAT) that was connected with a machine account was breached, which led to the cloning of the repositories belonging to our atom and desktop organizations, as well as those belonging to other obsolete GitHub-owned groups. These repositories had a number of code signing certificates that were encrypted and were intended for use in the Actions section of our GitHub Desktop and Atom release procedures.
Certificates are used in a manner very similar to signing your changes on GitHub in order to validate that the code in question was written by the specified author. Existing installations of the Desktop and Atom applications are not vulnerable to attack as a result of these certificates. However, if the encryption were broken, the threat actor might sign unauthorized programs with these certificates and make it seem as if GitHub was the company that really developed them.
On December 6, 2022, there were still two Digicert code signing certificates that could be used for Windows and one Apple Developer ID certificate that were valid. On February 2, 2023, GitHub will cancel all three certifications in its possession.
The first Digicert certificate was invalid when it expired on January 4, 2023, and the second one will become invalid on February 1 of the same year. When a certificate’s validity period has ended, it can no longer be used to sign code. They are planning to revoke them on February 2 as a precautionary step, despite the fact that they will not constitute a danger that will persist over time.
The Apple Developer ID certificate has a validity period that extends all the way to 2027. While waiting for the certificate to be revoked on February 2, we are collaborating with Apple to search for any new executable files (such as programs) that may have been signed with the compromised certificate.
After conducting an investigation into the contents of the hacked repositories, they discovered that GitHub.com and any of our other products, with the exception of the particular certificates mentioned above, were not affected in any way. The code included in these repositories has not been altered in any way that is not approved.
The releases page has been updated to reflect the fact that the most recent two versions of the Atom app, 1.63.0-1.63.1, have been removed. These versions will stop working as soon as the certificate is revoked since they are dependent on it.
They are going to revoke the Mac and Windows signing certificates that were used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1 on Thursday, February 2, 2023. Once the certificates are revoked, any and all versions that were signed with them will become inoperable. Before February 2, it is strongly recommended that you update Desktop and/or downgrade Atom in order to prevent any interruptions in the processes you rely on.
No information suggests that the threat actor was able to decrypt or make use of these certificates, but company can’t confirm this.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.