Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →
Case Study

3 Certificates Stolen. 94 Million Developers at Risk. What the GitHub Breach Tells Us About Code Signing.

In December 2022, attackers used a compromised Personal Access Token to steal three encrypted code signing certificates from GitHub. Here’s what went wrong and how CodeSign Secure addresses it.
3 Certificates Stolen. 94 Million Developers at Risk. What the GitHub Breach Tells Us About Code Signing. 

Company

GitHub, the world’s largest code hosting platform, owned by Microsoft. Hosts 100M+ repositories and serves 94M+ developers globally across open-source and enterprise projects as of 2023.

Industry

Software Development, Code Hosting & DevOps

Incident Type

Code Signing Certificate Theft via Compromised Personal Access Token

At a Glance Outcome

3

Encrypted code signing certificates stolen

94M+

Developers whose trust was at stake

~1 Day

Approximate attacker dwell time before detection

742%

Reported rise in supply chain attacks (industry research)

The Enterprise

Challenges

The breach revealed gaps in how GitHub stored and protected its code signing certificates. No decryption or malicious use was ever confirmed, but the certificates could have been used to sign malware distributed through one of the most trusted platforms in software.

Insufficient RBAC for sensitive repositories

The compromised machine account had broader access than its job required, which is a textbook least-privilege violation. Stricter RBAC would have kept it out of the certificate repositories.
01 GOVERNANCE

Certificates accessible via a single compromised PAT

How the PAT was compromised was never disclosed. CI/CD machine accounts didn’t have enough guardrails, so one credential was enough to reach repositories holding code signing certificates.
02 ACCESS CONTROL

Certificates stored in repositories, not HSMs

All three certificates lived in repositories, not Hardware Security Modules: one Apple Developer ID (valid until 2027) and two DigiCert certificates (expiring January 4 and February 1, 2023). Encryption and passwords don’t help much once the attacker has repository access.
03 KEY STORAGE
Enterprises don’t lose trust when a certificate is stolen, they lose it when they can’t prove the stolen key was never usable. HSM-backed signing is what makes that proof possible.

Encryption Consulting, CodeSign Secure Team

CODESIGN SECURE · ENCRYPTION CONSULTING · CODE SIGNING SECURITY

How CodeSign Secure

Addresses It?

CodeSign Secure addresses the same failure points GitHub ran into: HSM-backed key storage with a custom KSP, automated CI/CD signing backed by audit trails, granular access controls paired with real-time SIEM monitoring, and compliance with automated revocation. Each capability maps to one of the gaps above.

Capability 01

HSM-Based Key Storage with Custom KSP

Private keys are generated inside FIPS 140-2 Level 3 HSMs and never leave the device. Encryption Consulting’s KSP hashes the code locally and sends the hash to the HSM to sign, so even if certificates are stolen, the keys aren’t there to use.

Capability 02

Automated Signing & Audit Trails in CI/CD

Signing runs inside CI/CD pipelines, so only authorized code gets signed. Every operation produces a tamper-evident audit log, giving you real-time detection and a full trail for incident response.

Capability 03

Granular Access Controls & Real-Time Monitoring

RBAC, MFA, and M of N quorum approvals keep a single compromised PAT from reaching cryptographic assets. SIEM integrations like Splunk flag anomalous PAT and repository access right away, so a one-day detection window doesn’t open.

Capability 04

Compliance & Automated Revocation

CodeSign Secure meets CA/Browser Forum and GDPR requirements. Automated revocation cuts out the manual back-and-forth with CAs like DigiCert and Apple, so response is faster and the operational disruption GitHub faced is largely avoided.
The GitHub breach shows that encryption alone isn’t protection. Certificates stored outside an HSM are always one stolen credential away from compromise, no matter how strong the password on them.

Encryption Consulting, CodeSign Secure Team

CODESIGN SECURE · ENCRYPTION CONSULTING · CODE SIGNING SECURITY

The Overall

Business Outcome

CodeSign Secure removes the storage and access-control failures that made the GitHub breach possible and gives security teams the visibility to catch threats before certificates are compromised. Securing the software supply chain isn't any single platform's job; it's something the industry has to handle together.

01

Private keys protected, revocation automated

HSM storage and the custom KSP keep private keys on-device, so a stolen certificate alone can’t sign. Automated revocation replaces the slow multi-CA coordination that delayed GitHub.
02

Unauthorized access detected in real time

SIEM integration and audit trails close the one-day monitoring gap GitHub’s attacker exploited. Suspicious PAT activity alerts immediately, so the team contains it before anything is signed.
03

Supply chain trust maintained at scale

For 94M developers, certificate theft erodes the trust collaboration runs on. CodeSign Secure handles that risk at the infrastructure layer, critical with supply chain attacks up 742%.

Discover Our

Latest Resources

Education Center

All You Need to Know About DevSecOps Scaling 

DevSecOps scaling extends automated security across every team and pipeline. Learn the benefits, challenges, six steps, tools, and 2026 compliance drivers.

Read more
Case-Studies

White Paper

The Cert Wars: The Race Against Expiry

One expired certificate (cert) can bring operations to a halt. Discover how to prevent outages and manage certificate expiry before it impacts your business.

Read more
Case-Studies

Video

The 2029 Convergence: Why Microsoft, Google, and Cloudflare All Chose the Same PQC Deadline

Explore expert insights on cybersecurity, PKI, and post-quantum readiness, with practical guidance to strengthen security and future-proof cryptography.

Watch Now
Case-Studies