There have been a few recent incidents what seems to be extremely rare – “malware authors using code signing certificates” that were issued to companies with good reputations. The high-profile Stuxnet incident included validly signed malware with misappropriated Authenticode certificates from two Taiwanese companies.
“The fact that malware authors are targeting private keys for certificates shows the value of “code signing” which for malware authors is yet another way to steal from others. Unfortunately, code signing can only be as secure as the private keys underlying the technology,” explains Microsot.
Microsoft published a helpful guide explaining how code signing works in Windows, how to keep those digital private keys physically secured, and virus scanning files to be signed for malware before affixing your reputation to them.
More Info: Code-Signing Best Practices