![]() ![]() “The security and trustworthiness of GitHub and the broader developer ecosystem is our highest priority. While their theft does not put existing installations of Desktop and Atom at risk, if the thief was able to decrypt them, they could start to sign their own applications – such as malware – with these certificates and make out that they were official GitHub applications. Meanwhile, versions 1.63.1 and 1.63.0 of Atom will also stop working on 2 February – to keep using it, users will need to roll back to a previous version.īy this point, said GitHub, both of the DigiCert certificates will have expired and as such could not have been used to sign code anyway, but the Apple certificate retains validity through 2027, so GitHub has been working with Apple to monitor any executables signed with it until it is revoked.Ĭode-signing certificates such as the three stolen in December are important because they prove that code was written by a listed author. We have no evidence that the threat actor was able to decrypt or use these certificates.”Īs a preventative measure, it will be revoking the exposed certificates used, which will invalidate various versions of GitHub Desktop and Atom.Īs such, Mac users of Desktop versions 3.1.2, 3.1.1, 3.1.0, 3.0.8, 3.0.7, 3.0.6, 3.0.5, 3.0.4, 3.0.3 and 3.0.2 must update by 2 February 2023 – there is no impact to Windows users. “However, several encrypted code-signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. None of the affected repositories contained customer data. “Once detected on 7 December 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. ![]() “On 6 December 2022, repositories from our Atom, Desktop and other deprecated GitHub-owned organisations were cloned by a compromised personal access token (PAT) associated with a machine account,” the organisation said in a statement. GitHub apparently became aware of the attack on 7 December 2022, but has waited almost two months to go public pending a thorough investigation, which has found “no risk” to GitHub services as a result, and no unauthorised changes made. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |