On December 7, 2022, GitHub detected unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. After a thorough investigation, we have concluded there was no risk to GitHub.com services as a result of this unauthorized access and no unauthorized changes were made to these projects.
A set of encrypted code signing certificates were exfiltrated; however, the certificates were password-protected and we have no evidence of malicious use. As a preventative measure, we will revoke the exposed certificates used for the GitHub Desktop and Atom applications. Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom.
These versions of GitHub Desktop for Mac will stop working on February 2. Please update to the latest version of Desktop.
There will be no impact to GitHub Desktop for Windows.
These versions of Atom also will stop working on February 2. To keep using Atom, users will need to download a previous Atom version.
On December 6, 2022, repositories from our
desktop, and other deprecated Github-owned organizations were cloned by a compromised Personal Access Token (PAT) associated with a machine account. Once detected on December 7, 2022, our team immediately revoked the compromised credentials and began investigating potential impact to customers and internal systems. None of the affected repositories contained customer data.
However, several encrypted code signing certificates were stored in these repositories for use via Actions in our GitHub Desktop and Atom release workflows. We have no evidence that the threat actor was able to decrypt or use these certificates.
Certificates are used to verify that code is created by the listed author, very similar to signing your commits on GitHub. These certificates do not put existing installations of the Desktop and Atom apps at risk. However, if decrypted, the threat actor could sign unofficial applications with these certificates and pretend that they were officially created by GitHub.
Three certificates were still valid on December 6, 2022: two Digicert code signing certificates used for Windows and one Apple Developer ID certificate. GitHub will revoke all three certificates on February 2, 2023.
- One Digicert certificate expired on January 4, 2023 and the second will expire on February 1, 2023. Once expired, these certificates can no longer be used to sign code. While these will not pose an ongoing risk, as a preventative measure, we will revoke them on February 2.
- The Apple Developer ID certificate is valid until 2027. We are working with Apple to monitor for any new executable files (like applications) signed with the exposed certificate until the certificate is revoked on February 2.
On January 4, 2023, we published a new version of the Desktop app. This version is signed with new certificates that were not exposed to the threat actor.
We investigated the contents of the compromised repositories and found no impact to GitHub.com or any of our other offerings outside of the specific certificates noted above. No unauthorized changes were made to the code in these repositories.
Today, we are removing the latest two versions of the Atom app 1.63.0-1.63.1 from our releases page. Once the certificate is revoked, these versions will no longer function. You can download a previous Atom release per our sunsetting guidance.
On Thursday, February 2, 2023, we will revoke the Mac & Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1. Once revoked, all versions signed with these certificates will no longer function. We highly recommend updating Desktop and/or downgrading Atom before February 2 to avoid disruptions in your workflows.
The security and trustworthiness of GitHub and the broader developer ecosystem is our highest priority. We recommend users take action on the above recommendations to continue using GitHub Desktop and Atom.