Security News > 2023 > January > GitHub code-signing certificates stolen (but will be revoked this week)

GitHub code-signing certificates stolen (but will be revoked this week)
2023-01-31 19:35

Simply put: someone used a pre-generated access code acquired from who-knows-where to leech the contents of various source code repositories that belonged to GitHub itself.

In the case of stolen source code databases, whether they're stored on GitHub or elsewhere, there's always the risk that a private repository might include access credentials to other systems, or let cybercriminals get at code signing certificates that are used when actually building the software for public release.

The crooks got hold of code signing certificates for the GitHub Desktop and Atom products.

The stolen signing certificates were encrypted, and the crooks apparently didn't get the passwords.

Only three of the certificates had not yet expired on the day they were stolen.

Revoked certificates are added to a special checklist that operating systems can use to block content vouched for by certificates that should no longer be trusted.


News URL

https://nakedsecurity.sophos.com/2023/01/31/github-code-signing-certificates-stolen-but-will-be-revoked-this-week/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Github 10 2 30 29 14 75