GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom.
Code-signing certificates place a cryptographic stamp on code to verify it was developed by the listed organization, which in this case is GitHub. If decrypted, the certificates could allow an attacker to sign unofficial versions of the apps that had been maliciously tampered with and pass them off as legitimate updates from GitHub. Current versions of Desktop and Atom are unaffected by the credential theft.
“A set of encrypted code signing certificates were
→ Continue reading at Ars Technica