The attacker extracts credentials used for code signing from a production
						environment and uses these credentials to sign malicious content with the
						developer's key. Many developers use signing keys to sign code or hashes of
						code. When users or applications verify the signatures are accurate they are
						led to believe that the code came from the owner of the signing key and that
						the code has not been modified since the signature was applied. If the
						attacker has extracted the signing credentials then they can use those
						credentials to sign their own code bundles. Users or tools that verify the
						signatures attached to the code will likely assume the code came from the
						legitimate developer and install or run the code, effectively allowing the
						attacker to execute arbitrary code on the victim's computer.