Upon further investigation, it has been confirmed that the malicious code bearing our code signing certificate was not correctly signed, and as such we are assured that no compromise of any of our infrastructure has occurred.
The issue arose due to scanning tools that misidentified malware as being signed by us, despite the signature being invalid. We understand that the issue was related to the malware using PyInstaller and bundling our official binaries, which means the malware did contain our public certificate, but not as part of its file signature. The tool in question has been fixed.
Unfortunately, there is no way to un-revoke the certificate, and so binaries for 3.12.8 and 3.13.1 will remain as invalid. As mentioned in the original notification, no other releases used this certificate, and so only the listed versions are impacted. You can refer to Trusted Signing certificate management | Microsoft Learn for more information about how our signing processes work.
In summary, no compromise took place, our certificates and signing processes should still be considered trustworthy, and the issue is now considered closed.
-Python Security Response Team