On December 7, 2022, GitHub discovered that a series of repositories used in the planning and development of GitHub Desktop and Atom were accessed by unknown threat actors without authorization. After a comprehensive investigation, it was announced that the services were not at risk, and no unauthorized changes were made to these projects as a result of this unauthorized access.
As a result of the unauthorized access, a number of encrypted code signing certificates for GitHub Desktop and Atom applications were leaked. The certificates are password-protected, and no evidence of malicious use has been observed so far. However, if the password of the certificates is decrypted, the threat actor can act as if they have been officially created by GitHub by signing unofficial applications with these certificates.
They will cancel the open certificates used for GitHub Desktop and Atom
As a preventive measure, GitHub announced that they will cancel the open certificates used for GitHub Desktop and Atom applications. This cancellation of certificates will make some versions of GitHub Desktop for Mac and Atom invalid. However, this edit will not affect GitHub Desktop for Windows. The following versions of GitHub Desktop for Mac will be removed from use on February 2:
- 1.2
- 1.1
- 1.0
- 0.8
- 0.7
- 0.6
- 0.5
- 0.4
- 0.3
- 0.2
GitHub Atom will also stop serving the following versions on February 2:
- 63.1
- 63.0
It is recommended that users switch to previous versions of the applications that are not affected by the breach to continue using GitHub Desktop and Atom.