![]() ![]() However, if decrypted, the threat actor could sign unofficial applications with these certificates and pretend that they were officially created by GitHub. These certificates do not put existing installations of the Desktop and Atom apps at risk. We have no evidence that the threat actor was able to decrypt or use these certificates.Ĭertificates are used to verify that code is created by the listed author, very similar to signing your commits on GitHub. ![]() However, several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. None of the affected repositories contained customer data. Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account. To keep using Atom, users will need to download a previous Atom version. These versions of Atom also will stop working on February 2. There will be no impact to GitHub Desktop for Windows. Please update to the latest version of Desktop. These versions of GitHub Desktop for Mac will stop working on February 2. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom. As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications. After a thorough investigation, we have concluded there was no risk to services as a result of this unauthorized access and no unauthorized changes were made to these projects.Ī set of encrypted code signing certificates were exfiltrated however, the certificates were password-protected and we have no evidence of malicious use. On December 7, 2022, GitHub detected unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. If needed, you can download the latest version of GitHub Desktop from and the latest version of Atom from atom/atom. ![]() Februupdate: We have revoked all three certificates: two Digicert code signing certificates used for Windows and one Apple Developer ID certificate. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |