OpenAI Revokes macOS App Certificates in Wake of Axios Supply Chain Attack

TL;DR

OpenAI has revoked the signing certificates for its macOS applications after a GitHub Actions workflow inadvertently downloaded a malicious version of the Axios library. While no user data or internal systems were compromised, the company is rotating certificates "out of an abundance of caution" to prevent potential impersonation by threat actors.

---

The Incident: Malicious Payloads in the Build Pipeline

OpenAI recently disclosed that a GitHub Actions workflow used to sign its macOS applications downloaded a poisoned version of the Axios library (v1.14.1) on March 31. This malicious package was part of a broader supply chain attack attributed by Google Threat Intelligence Group (GTIG) to UNC1069, a North Korean hacking group.

The attack involved hijacking a package maintainer's npm account to push versions of Axios embedded with a malicious dependency called "plain-crypto-js." This dependency deployed WAVESHAPER.V2, a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems.

Impact on OpenAI and macOS Applications

The affected GitHub workflow had access to critical certificate and notarization materials for several OpenAI products, including:

• ChatGPT Desktop
• Codex App
• Codex CLI
• Atlas

Despite the execution of the malicious payload within the workflow, OpenAI’s security analysis concluded that the signing certificate was likely not exfiltrated. This was due to the timing of the payload execution relative to when the certificate was injected into the job, alongside other internal mitigating factors.

"We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered," OpenAI stated.

Remediation: Revocation and Rotation

To eliminate any risk of threat actors using the certificate to sign fraudulent software, OpenAI is treating the credentials as compromised. The following steps are being taken:

1. Certificate Revocation: OpenAI is revoking and rotating the signing certificates.
2. Apple Collaboration: The company is working with Apple to ensure software signed with the old certificate cannot be newly notarized.
3. Mandatory Updates: Starting May 8, 2026, older versions of OpenAI macOS apps will lose support and be blocked by macOS security protections.

To maintain service, users must update to the following minimum versions:

• ChatGPT Desktop: 1.2026.071
• Codex App: 26.406.40811
• Codex CLI: 0.119.0
• Atlas: 1.2026.84.2

The Broader Supply Chain Crisis

The Axios breach was one of two massive supply chain incidents in March. The second involved Trivy, a vulnerability scanner, which was targeted by a cybercriminal group known as TeamPCP (UNC6780).

These attacks have had cascading effects:

• Widespread Exposure: Google warned that hundreds of thousands of secrets may have been stolen across the ecosystem.
• Major Victims: Organizations such as the European Commission and the AI startup Mercor confirmed compromises stemming from the Trivy attack.
• Malware Proliferation: TeamPCP utilized stolen credentials to push the "CanisterWorm" and deploy DonutLoader shellcode via steganography.

Conclusion and Best Practices

The OpenAI incident highlights the fragility of building trust in automated CI/CD pipelines. Security experts emphasize that organizations must move away from "implicit trust" and toward a model of "explicit verification."

CISA has added the associated vulnerability (CVE-2026-33634) to its Known Exploited Vulnerabilities catalog. To defend against similar supply chain threats, developers are encouraged to:

• Pin packages by digest or commit SHA rather than mutable tags.
• Use short-lived, narrowly scoped credentials for CI runners.
• Implement 2FA across all development pipelines.
• Treat CI runners as potential breach points and run AI coding agents in sandboxed environments.

---

Source: https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html