GitHub is urging customers to update their installations of GitHub Desktop after an attacker stole three encrypted code-signing certificates that the company used to sign several versions of Desktop for Mac as well as a couple of versions of its now-retired Atom text editor.
The attacker gained access to the certificates after cloning some GitHub-owned repositories on Dec. 6 through the use of a compromised personal access token (PAT). GitHub immediately revoked the compromised token and began an investigation, through which the company’s security team determined that the attacker had exfiltrated the three certificates, which were used for signing code for the GitHub Desktop and Atom release workflows. Though the certificates are encrypted, two of them–an Apple Developer ID certificate and a DigiCert certificate–are still valid and GitHub will revoke all three of them on Feb. 2.
“These certificates do not put existing installations of the Desktop and Atom apps at risk. However, if decrypted, the threat actor could sign unofficial applications with these certificates and pretend that they were officially created by GitHub,” Alexis Wales of GitHub said in a post on Monday.
“We investigated the contents of the compromised repositories and found no impact to GitHub.com or any of our other offerings outside of the specific certificates noted above. No unauthorized changes were made to the code in these repositories.”
As part of the response to the incident, GutHub has removed affected versions of Atom (1.63.0-1.63.1) from its release page and after the certificates are revoked, those versions will no longer work. The affected versions of GitHub Desktop for Mac are 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Those versions will stop working on Feb. 2, as well, once the certificates are revoked.
GitHub published a new version of Desktop for Mac on Jan. 4, which is signed with a new certificate. Organizations that use an affected version of Desktop for Mac should upgrade to the newly published one, and Atom users should downgrade to an unaffected version.