Dive Brief:
- GitHub plans to reset code signing certificates after they were accessed and stolen by a threat actor, the company said Monday.
- The open source development platform detected unauthorized access to repositories containing the certificates on Dec. 7, 2022. GitHub is revoking the exposed certificates, which will invalidate some versions of GitHub Desktop for Mac and the source code editor Atom on Thursday.
- “We have concluded there was no risk to GitHub.com services as a result of this unauthorized access and no unauthorized changes were made to these projects,” Alexis Wales, VP of security ops at GitHub, said in a blog post. “The certificates were password-protected and we have no evidence of malicious use.”
Dive Insight:
The breach and theft of GitHub encrypted code signing certificates follows a series of security incidents and vulnerabilities impacting the Microsoft-owned company and some of its customers.
Slack, earlier this month, said a threat actor stole employee tokens and used them to access the company’s externally hosted GitHub repository, from which the threat actor exfiltrated private code repositories. Okta’s source code repositories were accessed and copied by an unauthorized party on GitHub in December.
Researchers at Veracode earlier this month highlighted an abundance of vulnerabilities and undiscovered flaws on open source GitHub repositories. And Checkmarx research underscored the risk associated with fake GitHub commits and a vulnerability that could be exploited via repojacking attacks.
The repositories for Atom and GitHub Desktop for Mac were cloned by a compromised personal access token associated with a machine account on Dec. 6, according to GitHub. The company revoked the compromised credentials once it detected the activity on Dec. 7.
The repositories did not contain customer data and “we have no evidence that the threat actor was able to decrypt or use these certificates,” Wales said.
“However, if decrypted, the threat actor could sign unofficial applications with these certificates and pretend that they were officially created by GitHub,” Wales added.
GitHub did not respond to a request for further comment.
GitHub encourages all users to update their versions of Desktop for Mac and downgrade Atom before Thursday to avoid disruptions. GitHub discontinued support for Atom in December.
