GitHub says unknown attackers stole encrypted code-signing certificates for its Desktop and Atom apps after gaining access to some of its development planning and release repositories.

So far, GitHub has found no evidence that password-protected certificates (an Apple Developer ID certificate and two Digicert code-signing certificates used for Windows applications) have been used for malicious purposes.

“On December 6, 2022, the repositories of our outdated Atom, Desktop, and other organizations belonging to Github were cloned by a compromised Personal Access Token (PAT) associated with a machine account”, GitHub said.

“Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating the potential impact to customers and internal systems. None of the affected repositories contained customer data.”

The company added that there was no risk to GitHub.com services due to this security flaw and that no unauthorized changes were made to the affected projects.

However, compromised certificates will be revoked to invalidate GitHub Desktop for Mac and Atom builds signed using them.

GitHub said all three certificates would be revoked on February 2, 2023:

• One Digicert certificate expired on January 4, 2023 and the second will expire on February 1, 2023. Once expired, these certificates can no longer be used to sign code. Although these do not present a permanent risk, we will revoke them as a preventive measure on February 2.
• The Apple Developer ID certificate is valid until 2027. We are working with Apple to monitor all new executable files (like applications) signed with the exposed certificate until the certificate is revoked on February 2.

GitHub has removed the last two versions of the Atom application (1.63.0-1.63.1) from the releases page and will revoke the Mac and Windows signing certificates used to sign versions 3.0.2-3.1.2 of the Desktop application and Atom versions 1.63.0 -1.63.1 on February 2.

Once the certificates are revoked, all application versions signed with the compromised certificates will no longer work.

“On January 4, 2023, we released a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor,” GitHub added.

“We highly recommend desktop update and or demote Atom before February 2 to avoid disruptions to your workflows.”