Blog Docs Download Status Looking Glass Contact sales
CLAVITORBlack-box credential issuance
Network Security Pricing
Developers
Developer overviewCLI, SDKs, webhooks Browser extensionAutofill, device-based login, generator Mobile appsNative iOS and Android Claude CodeScoped tokens CodexOpenAI integration OpenClawMCP resolver ImportFrom any password manager
Resources
Blog Docs Download Status Looking Glass Contact sales
Solutions
Consumer SMB Enterprise MSP
Language
🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇺🇸 English 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Sign in Get free forever Get unlimited
← All posts

DigiCert Lost 27 Code Signing Certificates to a Screensaver File

DigiCert, one of the world's largest Certificate Authorities, was compromised by a screensaver file sent through a customer support chat. Their antivirus blocked it four times. The agent kept clicking.

#7 May 7, 2026 By market-research
Also in:

DigiCert is one of the world's largest Certificate Authorities. They issue the digital certificates that tell your computer "this software is safe to run." When you install a signed application, your operating system checks the signature against a certificate chain that leads back to a CA like DigiCert.

In April 2026, a threat actor opened a customer support chat on DigiCert's Salesforce-based portal. They sent a ZIP file disguised as a customer screenshot. Inside was a .scr file — a Windows screensaver executable.

DigiCert's CrowdStrike endpoint protection blocked it. The support agent tried again. Blocked again. Third time. Fourth time. Blocked every time.

The fifth attempt got through.

One machine, then two

The first compromised machine was detected and isolated within a day. Good response.

The second compromised machine wasn't detected for twelve days. Why? An "endpoint protection sensor gap" — the machine either lacked EDR coverage or its telemetry wasn't being reviewed.

A Certificate Authority — the organization whose entire business is trust — had a machine in its support environment without functioning endpoint detection. For twelve days, an attacker had access.

27 certificates

The attacker obtained 27 EV code signing certificates. DigiCert ultimately revoked 60 certificates in total, including 16 additional suspicious ones found during the investigation.

These certificates were used to sign the Zhong Stealer malware family, linked to Chinese e-crime and cryptocurrency theft. The malware carried a valid digital signature from a trusted CA. Operating systems treated it as legitimate software.

This is what makes CA compromise different from a typical breach. Stolen passwords affect accounts. Stolen API keys affect services. Stolen code signing certificates affect trust itself. Every operating system, every app store, every enterprise endpoint trusts the CA hierarchy. When a CA is compromised, that trust is weaponized.

The real failure

The antivirus worked. Four out of five times, the automated system did exactly what it should do. The failure was the human who kept overriding it.

This is a pattern we see everywhere. Security teams build defense-in-depth architectures with EDR, sandboxing, network segmentation, and alerting. Then someone in support opens a file because a customer asked nicely. The most sophisticated security stack in the world doesn't survive a user who clicks Allow five times.

But blaming the support agent misses the point. The system allowed a support agent to receive executable files through a chat channel. The system allowed five consecutive attempts after four blocks. The system didn't flag "this user is bypassing antivirus repeatedly" as a security event. The system had a machine without EDR coverage in an environment that handles code signing certificates.

The human clicked. The system let them.

What code signing certificates are worth

A valid EV code signing certificate from a trusted CA is one of the most valuable things an attacker can steal. More valuable than passwords, more valuable than API keys, arguably more valuable than encryption keys.

With a stolen code signing certificate, an attacker can sign malware that passes SmartScreen, Gatekeeper, and every enterprise allowlist. They can publish updates to existing signed software that appear legitimate. They can bypass application whitelisting policies in corporate environments. They can defeat every downstream security control that relies on signature verification.

The entire software supply chain trusts the certificate chain. When a CA is compromised, the chain breaks, but nobody knows until the signed malware is discovered.

Eleven of the compromised certificates were found because community members reported them linked to malware. Not DigiCert's internal monitoring. The community.

The pattern

This month alone:

  • ClickUp hardcoded an API key in page source JavaScript. One request, 959 email addresses.
  • Bitwarden's CLI was compromised via npm, harvesting SSH keys and cloud credentials from developer machines.
  • Vercel stored environment variables in a format an attacker could decrypt for two months.
  • DigiCert lost code signing certificates to a screensaver file.

Every one of these involves a credential that existed as a copyable artifact with no scope, no hardware binding, and no second factor on use.

The fix isn't better antivirus. It isn't more training. It isn't a new policy document. The fix is credentials that can't be copied. Keys that don't exist as files. Signing operations that require hardware presence. Trust anchors that are mathematically bound to a physical device, not to a string that someone can paste into a chat window.\n\n---\n\nSources:\n- Mozilla Bugzilla incident report\n- Help Net Security: DigiCert breached via malicious screensaver file\n- DigiCert official statement