- GitHub discovered on December 7, 2022, that a hacker had obtained code signing certificates for GitHub Desktop and Atom.
- Following an examination, GitHub came to the conclusion that there was no risk to the GitHub.com services.
- Before February 2, the GitHub team strongly advises downgrading Atom and updating Desktop to prevent interruptions.
On December 7, 2022, GitHub detected that a hacker had managed to steal code signing certificates for GitHub Desktop and Atom. Software developers use code signing certificates to digitally sign software programs, drivers, executables, and applications so that end users can confirm that the code they receive hasn’t been tampered with or compromised.
No risk to GitHub.com services found
After GitHub’s investigations, it concluded that neither the unauthorized access nor the unauthorized changes to these projects posed any risk to the GitHub.com services. A collection of password-protected encrypted code signing certificates were stolen, and there is no indication that they were used maliciously as of now.
As a measure, GitHub announced that on February 2, Desktop app versions starting from 3.0.2 up to 3.1.2 (including the versions in between) will stop working, because the revoked certificates will invalidate them.
These versions of Atom also will stop working on February 2. To keep using Atom, users will need to download a previous Atom version.
- 1.63.1
- 1.63.0
The GitHub team quickly revoked the vulnerable credentials after learning of them on December 7, 2022, and started looking into possible effects on clients and internal systems. The affected repositories did not include any customer data.
The GitHub team highly recommends updating Desktop and downgrading Atom before February 2 to avoid disruptions.