OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
OpenAI revokes macOS app certificate after malicious Axios npm supply chain attack.
Summary
OpenAI disclosed that a GitHub Actions workflow downloading the compromised Axios npm package (v1.14.1) on March 31 exposed its macOS app-signing certificate to potential exfiltration. The Axios compromise, attributed to North Korean group UNC1069, deployed the WAVESHAPER.V2 backdoor. OpenAI found no evidence of data breach but is revoking the certificate and blocking older app versions starting May 8, 2026.
Full text
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident Ravie LakshmananApr 13, 2026DevSecOps / Software Security OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered." The disclosure comes a little over a week after Google Threat Intelligence Group (GTIG) attributed the supply chain compromise of the popular npm package to a North Korean hacking group it tracks as UNC1069. The attack enabled the threat actors to hijack the package maintainer's npm account to push two poisoned versions 1.14.1 and 0.30.4 that came embedded with a malicious dependency named "plain-crypto-js," which deployed a cross-platform backdoor called WAVESHAPER.V2 to infect Windows, macOS, and Linux systems. The artificial intelligence (AI) company said a GitHub Actions workflow it uses as part of its macOS app-signing process downloaded and executed Axios version 1.14.1. The workflow, it added, had access to a certificate and notarization material used for signing ChatGPT Desktop, Codex, Codex CLI, and Atlas. "Our analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors," the company said. Despite finding no evidence of data exfiltration, OpenAI said it's treating the certificate as compromised and that it's revoking and rotating it. As a result, older versions of all its macOS desktop apps will no longer receive updates or support starting May 8, 2026. This also means that apps signed with the previous certificate will be blocked by macOS security protections by default, preventing them from being downloaded or launched. The earliest releases signed with their updated certificate are listed below - ChatGPT Desktop - 1.2026.071 Codex App - 26.406.40811 Codex CLI - 0.119.0 Atlas - 1.2026.84.2 As part of its remediation efforts, OpenAI is also working with Apple to ensure software signed with the previous certificate cannot be newly notarized. The 30-day window till May 8, 2026, is a way to minimize user disruption and give them enough time to make sure they are updated to the latest version, it pointed out. "In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software," OpenAI said. "We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third-party would be blocked by default by macOS security protections unless a user explicitly bypasses them." Two Supply Chain Attacks Rock March The breach of Axios, one of the most widely used HTTP client libraries, was one of the two major supply chain attacks that took place in March aimed at the open-source ecosystem. The other incident targeted Trivy, a vulnerability scanner maintained by Aqua Security, resulting in cascading impacts across five ecosystems, affecting a number of other popular libraries depending on it. The attack, the work of a cybercriminal group called TeamPCP (aka UNC6780), deployed a credential stealer dubbed SANDCLOCK that facilitated the extraction of sensitive data from developer environments. Subsequently, the threat actors weaponized the stolen credentials to compromise npm packages and push a self-propagating worm named CanisterWorm. Days later, the crew used secrets pilfered from the Trivy intrusion to inject the same malware into two GitHub Actions workflows maintained by Checkmarx. The threat actors then followed it up by publishing malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI), both of which use Trivy in their CI/CD pipeline. "The Telnyx compromise indicates a continued change in the techniques used in TeamPCP's supply chain activity, with adjustments to tooling, delivery methods, and platform coverage," Trend Micro said in an analysis of the attack. "In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling, evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence." On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named "msbuild.exe" that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework. Additional analyses of the campaign, now identified as CVE-2026-33634, have been published by various cybersecurity vendors - CrowdStrike FUTURESEARCH Hexastrike Kudelski Security Microsoft OpenSourceMalware Palo Alto Networks Unit 42 ReversingLabs SOCRadar Sonatype StepSecurity Synk Trend Micro TRUESEC Wiz TeamPCP's supply chain compromise rampage may have come to an end, but the group has since shifted its focus towards monetizing existing credential harvests by teaming up with other financially motivated groups like Vect, LAPSUS$, and ShinyHunters. Evidence indicates that the threat actor has also launched a proprietary ransomware operation under the name CipherForce. These efforts have been complemented by TeamPCP's use of the stolen data to access cloud and software-as-a-service (SaaS) environments, marking a new-found escalation of the campaign. To that end, the cybercrime gang has been found to verify stolen credentials using TruffleHog, launch discovery operations within 24 hours of validation, exfiltrate more data, and attempt lateral movement to gain access to the broader network. "The credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data," Wiz researchers said. "While the speed at which they were used suggests that it was the work of the same threat actors responsible for the supply chain operations, we are not able to rule out the secrets being shared with other groups and used by them." Attacks Ripple Through Dependencies Google has warned that "hundreds of thousands of stolen secrets" could potentially be circulating as a result of the Axios and Trivy breaches, fueling more software supply chain attacks, SaaS environment compromises, ransomware and extortion events, and cryptocurrency theft over the near term. Two organizations that have confirmed compromise through the Trivy supply chain attack are artificial intelligence (AI) data training startup Mercor and the European Commission. While the California-based company has not shared details on the impact, the LAPSUS$ extortion group listed Mercor on its leak site at the start of April, claiming to have exfiltrated about 4TB of data. The Mercor breach has led Meta to pause its work with the company, according to a report from WIRED. Earlier this month, CERT-EU revealed that the threat actors used the stolen AWS secret to exfiltrate data from the Commission's cloud environment. This included data relating to websites hosted for up to 71 clients of the Europa web hosting service and outbound email communications. The ShinyHunters group has since released the exfiltrated dataset publicly on its dark web leak site. GitGuardian's analysis of the Trivy
Indicators of Compromise
- malware — WAVESHAPER.V2
- malware — plain-crypto-js
- cve — CVE-2026-33634