OpenAI Revokes macOS App Certificate Following Axios Supply Chain Attack
OpenAI has recently taken decisive action to revoke and rotate its macOS application signing certificate after discovering that a GitHub Actions workflow used in its app-signing process inadvertently downloaded a compromised version of the Axios library on March 31, 2026. Despite this incident, OpenAI has confirmed that no user data or internal systems were compromised.
In a statement released last week, OpenAI emphasized its commitment to security:
Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps. We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered.
Background on the Axios Supply Chain Attack
This incident is part of a broader supply chain attack attributed to a North Korean hacking group identified as UNC1069. The attackers compromised the npm package maintainer’s account, allowing them to distribute malicious versions 1.14.1 and 0.30.4 of the Axios library. These versions included a harmful dependency named plain-crypto-js, which deployed a cross-platform backdoor known as WAVESHAPER.V2, capable of infecting Windows, macOS, and Linux systems.
OpenAI’s Response and Mitigation Measures
OpenAI’s GitHub Actions workflow, integral to its macOS app-signing process, inadvertently downloaded and executed the tainted Axios version 1.14.1. This workflow had access to critical certificates and notarization materials used for signing applications such as ChatGPT Desktop, Codex, Codex CLI, and Atlas.
Upon thorough analysis, OpenAI concluded that the signing certificate was likely not exfiltrated by the malicious payload. Factors contributing to this assessment included the timing of the payload execution, the sequence of job processes, and other mitigating elements.
Despite the absence of evidence indicating data exfiltration, OpenAI is treating the certificate as compromised. Consequently, the company is revoking and rotating the certificate. As a result, older versions of all its macOS desktop applications will cease to receive updates or support starting May 8, 2026.
This action means that applications signed with the previous certificate will be blocked by macOS security protections by default, preventing them from being downloaded or launched. Users are advised to update to the latest versions of the applications, which are signed with the new certificate. The earliest releases signed with the updated certificate are as follows:
– ChatGPT Desktop: Version 1.2026.071
– Codex App: Version 26.406.40811
– Codex CLI: Version 0.119.0
– Atlas: Version 1.2026.84.2
To further mitigate potential risks, OpenAI is collaborating with Apple to ensure that software signed with the previous certificate cannot be newly notarized. The 30-day window until May 8, 2026, is intended to minimize user disruption and provide sufficient time for users to update to the latest versions.
OpenAI stated:
In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software. We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third-party would be blocked by default by macOS security protections unless a user explicitly bypasses them.
Broader Implications of Supply Chain Attacks
The Axios incident is one of two significant supply chain attacks that occurred in March 2026, targeting the open-source ecosystem. The other incident involved Trivy, a vulnerability scanner maintained by Aqua Security. This attack had cascading impacts across five ecosystems, affecting numerous popular libraries that depended on it.
The attack on Trivy was orchestrated by a cybercriminal group known as TeamPCP (also referred to as UNC6780). The group deployed a credential stealer named SANDCLOCK, which facilitated the extraction of sensitive data from developer environments. The stolen credentials were then used to compromise npm packages and distribute a self-propagating worm called CanisterWorm.
Subsequently, the attackers used secrets obtained from the Trivy intrusion to inject the same malware into two GitHub Actions workflows maintained by Checkmarx. They also published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI), both of which utilized Trivy in their CI/CD pipelines.
Trend Micro noted:
The Telnyx compromise indicates a continued change in the techniques used in TeamPCP’s supply chain activity, with adjustments to tooling, delivery methods, and platform coverage. In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling, evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence.
On Windows systems, the compromise of the Telnyx Python SDK led to the deployment of an executable named msbuild.exe. This executable employed several obfuscation techniques to evade detection and extracted DonutLoader, a shellcode loader, from a PNG image within the binary. This process loaded a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.
Industry Response and Recommendations
In response to these incidents, various cybersecurity vendors have published analyses and recommendations to mitigate the risks associated with supply chain attacks. Organizations are advised to implement the following measures:
– Pin Packages by Digest or Commit SHA: Instead of using mutable tags, pinning packages ensures that the exact version of a dependency is used, reducing the risk of inadvertently incorporating malicious code.
– Use Hardened Images: Utilize Docker Hardened Images (DHI) to ensure that base images are secure and free from vulnerabilities.
– Enforce Minimum Release Age Settings: Implement settings to delay the adoption of new versions for dependency updates, allowing time for any potential issues to be identified and addressed.
– Treat CI Runners as Potential Breach Points: Avoid using pull_request_target triggers in GitHub Actions unless absolutely necessary, as CI runners can be exploited as entry points for attacks.
– Use Short-Lived, Narrowly Scoped Credentials: Limit the lifespan and scope of credentials to minimize the impact of potential compromises.
– Deploy Canary Tokens: Implement canary tokens to detect potential exfiltration attempts and receive alerts in case of unauthorized access.
– Audit Environments for Hard-Coded Secrets: Regularly review and remove hard-coded secrets from codebases to prevent unauthorized access.
– Run AI Coding Agents in Sandboxed Environments: Ensure that AI coding agents operate in isolated environments to prevent potential security breaches.
– Use Trusted Publishing Methods: Employ trusted publishing methods when pushing packages to npm and PyPI to ensure the integrity of the code.
– Secure Open-Source Development Pipelines with 2FA: Implement two-factor authentication (2FA) to enhance the security of open-source development pipelines.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2026-33634 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by April 9, 2026.
Charles Carmakal, Chief Technology Officer of Mandiant Consulting at Google, emphasized the urgency of addressing these threats:
The number of recent software supply chain attacks is overwhelming. Defenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future attacks.
Conclusion
The recent supply chain attacks underscore the critical importance of securing software development pipelines and the dependencies they rely upon. Organizations must adopt proactive measures to safeguard their systems and data against increasingly sophisticated threats. By implementing robust security practices and staying vigilant, the industry can work towards mitigating the risks associated with supply chain compromises.
