OpenAI Revokes macOS App Certificate Following Malicious Axios Supply Chain Attack

OpenAI has taken significant steps to address a security incident involving its macOS applications. On March 31, the company disclosed that a GitHub Actions workflow, integral to signing its macOS apps, inadvertently downloaded a compromised version of the Axios library. Fortunately, OpenAI confirmed that no user data or internal systems were breached during this incident.

In a statement, OpenAI emphasized its commitment to safeguarding its application certification process. The organization stated, “Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps. We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered.”

Context of the Incident

This disclosure follows a report from the Google threat intelligence Group (GTIG), which attributed the supply chain compromise of the popular npm package Axios to a North Korean hacking group known as UNC1069. The attackers exploited vulnerabilities to hijack the npm account of the package maintainer, subsequently releasing two malicious versions—1.14.1 and 0.30.4—embedded with a harmful dependency called “plain-crypto-js.” This dependency deployed a cross-platform backdoor, WAVESHAPER.V2, capable of infecting Windows, macOS, and Linux systems.

OpenAI revealed that its GitHub Actions workflow, part of the macOS app-signing process, executed Axios version 1.14.1. This workflow had access to critical signing certificates and notarization materials used for applications like ChatGPT Desktop, Codex, Codex CLI, and Atlas.

The company’s analysis indicated that the signing certificate was likely not exfiltrated due to various mitigating factors, including the timing of the payload execution and the sequencing of the job. Nevertheless, OpenAI is treating the certificate as compromised and plans to revoke and rotate it. Consequently, older versions of its macOS desktop applications will cease to receive updates or support starting May 8, 2026.

Implications for Users and Developers

The revocation of the signing certificate means that applications signed with the previous certificate will be blocked by macOS security protections, preventing them from being downloaded or launched. The earliest releases signed with the updated certificate include:

• ChatGPT Desktop – 1.2026.071
• Codex App – 26.406.40811
• Codex CLI – 0.119.0
• Atlas – 1.2026.84.2

OpenAI is collaborating with Apple to ensure that software signed with the compromised certificate cannot be newly notarized. This 30-day window aims to minimize user disruption and allow users ample time to update to the latest versions.

OpenAI stated, “In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software.” The organization has halted new software notarizations using the old certificate, ensuring that any unauthorized software signed with it will be blocked by macOS security protections unless users explicitly bypass them.

Broader Supply Chain Threat Landscape

The Axios incident is part of a larger trend of supply chain attacks that have targeted the open-source ecosystem. In March, another significant attack involved Trivy, a vulnerability scanner maintained by Aqua Security. This attack, attributed to the cybercriminal group TeamPCP (also known as UNC6780), resulted in cascading impacts across multiple ecosystems, affecting various popular libraries dependent on Trivy.

TeamPCP deployed a credential stealer named SANDCLOCK, enabling the extraction of sensitive data from developer environments. The stolen credentials were subsequently weaponized to compromise npm packages and distribute a self-propagating worm called CanisterWorm.

Days later, TeamPCP utilized the credentials obtained from the Trivy breach to inject malware into GitHub Actions workflows maintained by Checkmarx. They then published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI), both of which utilized Trivy in their CI/CD pipelines.

Trend Micro noted that the Telnyx compromise reflects a shift in TeamPCP’s tactics, evolving from inline Base64 delivery methods to more sophisticated techniques, including split-file WAV steganography. This evolution demonstrates a concerning trend in the sophistication of supply chain attacks.

The Ripple Effect of Compromised Dependencies

Google has warned that “hundreds of thousands of stolen secrets” could be circulating as a result of the Axios and Trivy attacks, potentially fueling further software supply chain incidents, SaaS environment compromises, ransomware, extortion events, and cryptocurrency theft in the near term.

Organizations such as the AI data training startup Mercor and the European Commission have confirmed compromises linked to the Trivy attack. The LAPSUS$ extortion group has claimed to have exfiltrated approximately 4TB of data from Mercor, prompting Meta to pause its collaboration with the company.

CERT-EU has revealed that the attackers used stolen AWS secrets to exfiltrate data from the European Commission’s cloud environment, affecting data related to websites hosted for up to 71 clients. The ShinyHunters group has since leaked the exfiltrated dataset on its dark web site.

GitGuardian’s analysis of the Trivy and LiteLLM attacks found that 474 public repositories executed malicious code from the compromised “trivy-action” workflow, and 1,750 Python packages were configured to automatically pull the poisoned versions.

Recommendations for Mitigating Supply Chain Risks

The recent supply chain incidents underscore the critical need for organizations to reassess their security postures. Experts recommend several strategies to mitigate risks associated with supply chain attacks:

• Pin packages by digest or commit SHA instead of mutable tags.
• Use Docker Hardened Images (DHI).
• Enforce minimum release age settings to delay adoption of new versions for dependency updates.
• Treat every CI runner as a potential breach point and avoid unnecessary triggers in GitHub Actions.
• Utilize short-lived, narrowly scoped credentials.
• Implement internal mirrors or artifact proxies.
• Deploy canary tokens to alert potential exfiltration attempts.
• Regularly audit environments for hard-coded secrets.
• Run AI coding agents in sandboxed environments.
• Use trusted publishing to push packages to npm and PyPI.
• Secure the open-source development pipeline with two-factor authentication (2FA).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33634 to its Known Exploited Vulnerabilities catalog, mandating that Federal Civilian Executive Branch agencies implement necessary mitigations by April 9, 2026.

As the frequency of software supply chain attacks continues to rise, organizations must remain vigilant and proactive in their security measures to protect against evolving threats.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.