GitHub, a cloud-based hosting service for repositories, has replaced its RSA SSH host key used for securing Git operations. This was done as a precautionary measure after the key was briefly visible in a public repository.
It is believed that the action taken on March 24, 2023 at 05:00 UTC was done with the intention of stopping any malicious person from imitating the service or secretly listening to users' activities on SSH.
Mike Hanley, the Chief Security Officer and Senior Vice President of Engineering at GitHub, stated in a post that this particular key does not provide entry to the infrastructure or customer information of GitHub. He clarified that this alteration solely affects Git operations carried out via RSA using SSH.
The transfer does not affect the flow of information on the web to GitHub.com and the use of Git through HTTPS. No alterations are necessary for those using ECDSA or Ed25519.
The company owned by Microsoft has stated that they have no proof of any adversaries taking advantage of the exposed SSH private key. However, they have not revealed the duration for which the secret was left exposed.
The statement emphasized that the problem did not occur due to a breach of any GitHub systems or customer data, but rather was caused by accidentally revealing private information.
The article highlights that users of GitHub Actions may experience unsuccessful workflow runs due to the use of actions/checkout alongside the ssh-key option. This is because the platform is currently in the process of updating this action across all tags.
GitHub has announced that it has disclosed information regarding encrypted code signing certificates related to certain versions of GitHub Desktop for Mac and Atom applications being exfiltrated by unknown threat actors. This announcement comes almost two months after the initial reveal of the incident.