GitHub says hackers cloned code-signing certificates in breached repository
/var/www/vhosts/lawyersinamerica.com/httpdocs/app/views/singleBlog/singleBlogView.php on line 59">
Biz & IT
Jan 2023
FelizMax Round Zafu Meditation Cushion, Zabuton Meditation Pillow, Yoga Bolster/Pillow, Floor seat, Zippered Organic Cotton Cover, Natural Buckwheat, ...
$38.99
Good Banana Kid's Yoga Mat - Rainbow shaped, 64 x 31.5 inches, adds stability and comfort, (YMRAIN)
$34.99-
OQQ Women's 3 Piece Outfits Ribbed Exercise Long Sleeve Crop Tops Workout High Waist Leggings Yoga Set
$41.99
BuiltFit Microfiber Gym Towels for Sweat Sports Yoga Workout Towel for Men and Women, Super Absorbent and Quick Drying, 3 Pack Set 14x29 Inch Blue
$16.68-
GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom.
Code-signing certificates place a cryptographic stamp on code to verify it was developed by the listed organization, which in this case is GitHub. If decrypted, the certificates could allow an attacker to sign unofficial versions of the apps that had been maliciously tampered with and pass them off as legitimate updates from GitHub. Current versions of Desktop and Atom are unaffected by the credential theft.
The revocations, which will be effective on Thursday, will cause certain versions of the apps to stop working. Those apps are:
GitHub Desktop for Mac with the following versions:
3.1.2
3.1.1
3.1.0
3.0.8
3.0.7
3.0.6
3.0.5
3.0.4
3.0.3
3.0.2
Atom:
1.63.1
1.63.0
Desktop for Windows is unaffected.
On January 4, GitHub published a new version of the Desktop app that's signed with new certificates that were not exposed to the threat actor. Users of Desktop should update to this new version.
One compromised certificate expired on January 4, and another is set to expire on Thursday. Revoking these certificates provides protection if they were used before expiration to sign malicious updates. Without the revocation, such apps would pass the signature check. The revocation has the effect of making all code fail the signature check, no matter when it was signed.
A third affected certificate, an Apple Developer ID certificate, isn't set to expire until 2027. GitHub will revoke this certificate on Thursday as well. In the meantime, GitHub said, "We are working with Apple to monitor for any new executable files (like applications) signed with the exposed certificate."
On December 6, GitHub said, the threat actor used a compromised personal access token (PAT) to clone repositories for Desktop, Atom, and other deprecated GitHub-owned organizations. GitHub revoked the PAT a day later after discovering the breach. None of the cloned repositories contained customer data. The advisory didn't explain how the PAT was compromised.
Included in the repositories were "several encrypted code signing certificates" GitHub uses to sign releases of the Desktop and Atom apps. Customers do not have direct access. There's no evidence that the threat actor could decrypt or use any of the certificates.
"We investigated the contents of the compromised repositories and found no impact to GitHub.com or any of our other offerings outside of the specific certificates noted above," the advisory stated. "No unauthorized changes were made to the code in these repositories."
