GitHub, a subsidiary of Microsoft, announced that unknown attackers managed to extract encrypted code signing certificates related to some versions of GitHub Desktop for Mac and Atom applications.
To ensure security, the company is revoking the affected certificates. As a result, certain versions of GitHub Desktop for Mac, including 3.0.2 to 3.1.2 and Atom versions 1.63.0 and 1.63.1, will stop functioning on February 2, 2023, requiring users to downgrade to a previous version. GitHub Desktop for Windows is not impacted.
The unauthorized access to deprecated repositories used for the planning and development of GitHub Desktop and Atom was detected on December 7, 2022, and the compromised personal access token was revoked. However, the company did not reveal the cause of the breach.
The three exposed certificates, including two Digicert certificates for Windows and one Apple Developer ID certificate, will be revoked on February 2, 2023. GitHub has released a new version of the desktop app signed with new certificates that were not exposed to the threat actors.
The company confirmed that no unauthorized changes were made to the code in the affected repositories.