Identify compromised versions of GitHub apps using JupiterOne

by

Written by Brendan Quinn and Yvie Djieya

On January 30, 2023 GitHub disclosed that unauthorized users had gained access to repositories that contained encrypted code signing certificates for its Desktop and Atom applications. These certificates were password protected and there is no current evidence of malicious use, according to GitHub, but customers are still advised to take precautions before impacted certificates are deprecated.

As a preventative measure, GitHub will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-1.63.1 on Thursday, February 2, 2023. Once deprecated, these certificates can no longer be used to sign code. GitHub recommends updating Desktop and/or downgrading Atom before February 2nd to avoid workflow disruptions.

The following J1 queries can be used to help identify which devices in your environment have the compromised versions of the application installed:

GitHub Desktop

FIND Application WITH displayName ~= ('GitHub' OR 'Github') AS x 
THAT INSTALLED AS r (Device|Host) AS y 
WHERE r.version = ('3.1.2' OR '3.1.1' OR '3.1.0' OR '3.0.8' OR '3.0.7' OR '3.0.6' OR '3.0.5' OR '3.0.4' OR '3.0.2')
RETURN 
x.displayName AS GitHub_Desktop_App,
r.version AS Compromised_Version,
r._class AS Is, 
y.displayName AS On, 
y.email AS Owned_By

GitHub Atom

FIND Application WITH displayName ~= ('Atom.app') AS x 
THAT INSTALLED AS r (Device|Host) AS y 
WHERE r.version = ('1.63.1' OR '1.63.0')
RETURN 
x.displayName AS GitHub_Desktop_App,
r.version AS Compromised_Version,
r._class AS Is, 
y.displayName AS On, 
y.email AS Owned_By

New call-to-action
JupiterOne Team
JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

Keep Reading

Better Together: CMDB + CSPM = Cloud Native Cyber Asset Management
September 4, 2024
Blog
Better Together: CMDB + CSPM = Cloud Native Cyber Asset Management

There is a lot of confusion out there when it comes to cloud native IT and cloud security tools. Things have gotten rather complicated over the last few years as we

Top Takeaways From the Cyentia Institute’s Inaugural Study of EPSS Data and Performance - "A VISUAL EXPLORATION OF EXPLOITATION IN THE WILD"
July 30, 2024
Blog
Top Takeaways From the Cyentia Institute’s Inaugural Study of EPSS Data and Performance

A CISO's Top 6 Takeaways From the Cyentia Institute’s Inaugural Study of EPSS Data and Performance "A Visual Exploration of Exploitation in the Wild"

Open Source Compliance, Endpoint and Vulnerability Management with Fleet | JupiterOne
July 24, 2024
Blog
Open Source Compliance, Endpoint and Vulnerability Management with Fleet

Here’s how Fleet integrates with JupiterOne to gain comprehensive insights and enhance the security in our environment.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.