The breach and theft of GitHub encrypted code signing certificates follows a series of security incidents and vulnerabilities impacting the Microsoft-owned company and some of its customers.
Slack, earlier this month, said a threat actor stole employee tokens and used them to access the company’s externally hosted GitHub repository, from which the threat actor exfiltrated private code repositories . Okta’s source code repositories were accessed and copied by an unauthorized party on GitHub in December.
Researchers at Veracode earlier this month highlighted an abundance of vulnerabilities and undiscovered flaws on open source GitHub repositories. And Checkmarx research underscored the risk associated with fake GitHub commits and a vulnerability that could be exploited via repojacking attacks .
The repositories for Atom and GitHub Desktop for Mac were cloned by a compromised personal access token associated with a machine account on Dec. 6, according to GitHub. The company revoked the compromised credentials once it detected the activity on Dec. 7.
The repositories did not contain customer data and “we have no evidence that the threat actor was able to decrypt or use these certificates,” Wales said.
“However, if decrypted, the threat actor could sign unofficial applications with these certificates and pretend that they were officially created by GitHub,” Wales added.
GitHub did not respond to a request for further comment.
GitHub encourages all users to update their versions of Desktop for Mac and downgrade Atom before Thursday to avoid disruptions. GitHub discontinued support for Atom in December.
