DigiCert revokes 60 code signing certificates after internal systems compromise
Updated
Updated · Help Net Security · May 4
DigiCert revokes 60 code signing certificates after internal systems compromise
10 articles · Updated · Help Net Security · May 4
A chat-based social engineering attack used a ZIP posing as a screenshot to deliver a malicious .scr file, leading to unauthorized EV Code Signing certificate issuance across multiple accounts.
DigiCert said 27 revoked certificates were linked to attacker activity, with 11 tied by community reports to malware and 16 found internally; pending orders were cancelled.
One compromised support system was contained within 24 hours, but another went undetected for nearly two weeks because of CrowdStrike misconfiguration. Researchers linked abused certificates to Zhong Stealer malware.
How did a top security tool fail, leaving a trusted authority blind to hackers for two weeks?
When trusted digital signatures are used to approve malware, who can users really trust online?
Could one support chat be the key to compromising the global software supply chain?
DigiCert April 2026 Breach: 60 Fraudulent EV Code-Signing Certificates Issued via Support Portal Exploit
Overview
In April 2026, attackers compromised DigiCert by delivering a disguised malicious file to a support analyst, infecting their endpoint. While DigiCert quickly contained this first breach, a second infected endpoint remained undetected for nearly two weeks due to a security sensor gap. This allowed attackers to exploit DigiCert's support portal, harvesting sensitive initialization codes to fraudulently issue 60 Extended Validation code-signing certificates. They used 27 of these certificates to sign malware, prompting DigiCert to revoke all affected certificates. The revocation caused widespread operational disruptions and false positives in security tools, leading to coordinated mitigation efforts and heightened industry scrutiny of systemic risks in certificate authority practices.