GitHub Becomes A Victim Of Hacking, A Certificate For The Signing Of Desktop And Atomic Codes!
JAKARTA - Earlier this week GitHub, known as a cloud-based website and service for software developers, detected unauthorized access to a collection of repositories.
The repository was used in the planning and development of GitHub Desktop and Atom. The unauthorized access was discovered in a hack that occurred in December last year.
Perwakilan GitHub Alexis Wales menjelaskan terkait pe hacka itu. Pada 6 Desember 2022, reposisi dari Atom, Desktop, dan organisasi milik GitHub yang sudah tidak digunakan lagi disggandakan oleh Token Access Pribadi (PAT) yang dikaitkan dengan akun mesin.
After being detected on December 7, 2022, the GitHub team immediately revoked the compromised credentials and began investigating potential impacts on customers and internal systems. None of the affected repositories contain customer data.
"However, several encrypted code signing certificates are stored in this repository for use through Actions in our GitHub Desktop workflow and Atom releases. We have no evidence that threat actors can decrypt or use this certificate," Wales said in a company blog post quoted Wednesday, February 1.
Luckily, no GitHub data was stolen in the hack, but Wales still advises users to make sure they download the latest updates on the affected software.
"After a thorough investigation, we conclude there is no risk to the GitHub.com service as a result of this illegal access and no unauthorized changes have been made to this project," Wales said.
With the attackers who have stolen the code signing certificate, GitHub will revoke the certificates for several versions of Atom and GitHub Desktop on February 2, so users must update before this date.
"A set of encrypted code signing certificates has been extracted. However, the certificate is password protected and we have no evidence of malicious use," Wales said.
"As a precautionary measure, we will revoke the certificates that were exposed and used for the GitHub Desktop and Atom applications. Revocation of this certificate will cancel several versions of GitHub Desktop for Mac and Atom," he added.
Furthermore, Wales also stated that the Desktop version of GitHub for Mac was 3.1.2, 3.1.1, 3.1.0, 3.0.8, 3.0.7, 3.0.6, 3.0.5, 3.0.4, 3.0.3 and 3.0.2 will stop working on February 2.
Meanwhile, GitHub Desktop for Windows is not affected. In addition, the company also warns that versions of Atom 1.63.0 and 1.63.1 will stop working on the same date, and to keep using Atom, users will have to download previous versions of Atom.