As a result of the unauthorized access, a number of encrypted code signing certificates for GitHub Desktop and Atom applications were leaked. The certificates are password-protected, and no evidence of malicious use has been observed so far. However, if the password of the certificates is decrypted, the threat actor can act as if they have been officially created by GitHub by signing unofficial applications with these certificates.
They will cancel the open certificates used for GitHub Desktop and Atom
As a preventive measure, GitHub announced that they will cancel the open certificates used for GitHub Desktop and Atom applications. This cancellation of certificates will make some versions of GitHub Desktop for Mac and Atom invalid. However, this edit will not affect GitHub Desktop for Windows. The following versions of GitHub Desktop for Mac will be removed from use on February 2:
- 1.2
- 1.1
- 1.0
- 0.8
- 0.7
- 0.6
- 0.5
- 0.4
- 0.3
- 0.2
GitHub Atom will also stop serving the following versions on February 2:
- 63.1
- 63.0
It is recommended that users switch to previous versions of the applications that are not affected by the breach to continue using GitHub Desktop and Atom.
