OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

OpenAI has revoked its macOS app signing certificate after discovering that a GitHub Actions workflow used to sign its desktop applications inadvertently downloaded malicious versions of the popular Axios library, marking another significant supply chain security incident in the open-source ecosystem.

The Axios Supply Chain Attack

The incident traces back to March 31, 2026, when North Korean hacking group UNC1069 compromised the npm account of the Axios library maintainer. The attackers pushed two poisoned versions - 1.14.1 and 0.30.4 - that contained a malicious dependency called "plain-crypto-js." This dependency deployed the WAVESHAPER.V2 backdoor, capable of infecting Windows, macOS, and Linux systems.

OpenAI revealed that its GitHub Actions workflow, which handles the signing process for ChatGPT Desktop, Codex, Codex CLI, and Atlas applications, downloaded and executed Axios version 1.14.1. The workflow had access to certificates and notarization materials used for signing these macOS applications.

OpenAI's Response and User Impact

Despite finding no evidence that user data was accessed or systems were compromised, OpenAI is treating the certificate as compromised and has initiated revocation. The company stated that the signing certificate present in the workflow was likely not successfully exfiltrated due to timing factors, certificate injection sequencing, and other mitigating conditions.

However, as a precautionary measure, OpenAI is revoking and rotating the certificate. This means that older versions of all its macOS desktop apps will no longer receive updates or support starting May 8, 2026. Apps signed with the previous certificate will be blocked by macOS security protections by default, preventing them from being downloaded or launched.

The earliest releases signed with the updated certificate are:

• ChatGPT Desktop - 1.2026.071
• Codex App - 26.406.40811
• Codex CLI - 0.119.0
• Atlas - 1.2026.84.2

OpenAI is also working with Apple to ensure software signed with the previous certificate cannot be newly notarized, providing a 30-day window to minimize user disruption.

The Broader Supply Chain Attack Landscape

This incident is part of a larger wave of supply chain attacks that rocked the open-source ecosystem in March 2026. The Axios compromise was one of two major attacks, the other targeting Trivy, a vulnerability scanner maintained by Aqua Security.

The Trivy attack, attributed to cybercrime group TeamPCP (aka UNC6780), deployed a credential stealer called SANDCLOCK that extracted sensitive data from developer environments. The attackers then weaponized stolen credentials to compromise npm packages and push a self-propagating worm named CanisterWorm.

TeamPCP's campaign evolved rapidly, using secrets pilfered from the Trivy intrusion to inject malware into GitHub Actions workflows maintained by Checkmarx. They subsequently published malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI), both of which use Trivy in their CI/CD pipelines.

Technical Analysis of the Attacks

On Windows systems, the Telnyx Python SDK compromise resulted in the deployment of an executable named "msbuild.exe" that employed several obfuscation techniques to evade detection. The malware extracted DonutLoader, a shellcode loader, from a PNG image within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control framework.

The attack demonstrated sophisticated evolution in delivery methods, moving from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography. The malware expanded from Linux-only targeting to dual-platform targeting with Windows persistence.

Impact and Victim Analysis

Google has warned that "hundreds of thousands of stolen secrets" could potentially be circulating as a result of the Axios and Trivy attacks. This could fuel more software supply chain attacks, SaaS environment compromises, ransomware and extortion events, and cryptocurrency theft.

Two organizations have confirmed compromise through the Trivy supply chain attack: artificial intelligence data training startup Mercor and the European Commission. While Mercor has not shared details on the impact, the LAPSUS$ extortion group listed Mercor on its leak site, claiming to have exfiltrated about 4TB of data. The Mercor breach has led Meta to pause its work with the company.

The European Commission revealed that threat actors used stolen AWS secrets to exfiltrate data from the Commission's cloud environment, including data relating to websites hosted for up to 71 clients of the Europa web hosting service and outbound email communications. The ShinyHunters group has since released the exfiltrated dataset publicly on its dark web leak site.

GitGuardian's analysis found that 474 public repositories executed malicious code from the compromised "trivy-action" workflow, and 1,750 Python packages were configured to automatically pull the poisoned versions.

Security Recommendations and Mitigation

Security experts emphasize that these attacks target the inherent trust developers assume when downloading packages and dependencies from open-source repositories. "Trust was assumed where it should have been verified," said Mark Lechner, chief information security officer at Docker.

Organizations that minimized damage had already begun replacing implicit trust with explicit verification at every layer of their stack. This includes using verified base images instead of community pulls, pinned references instead of mutable tags, scoped and short-lived credentials instead of long-lived tokens, and sandboxed execution environments instead of wide-open CI runners.

Recommended security measures include:

• Pinning packages by digest or commit SHA instead of mutable tags
• Using Docker Hardened Images (DHI)
• Enforcing minimum release age settings to delay adoption of new versions for dependency updates
• Treating every CI runner as a potential breach point and avoiding pull_request_target triggers in GitHub Actions unless absolutely necessary
• Using short-lived, narrowly scoped credentials
• Using an internal mirror or artifact proxy
• Deploying canary tokens to get alerted to potential exfiltration attempts
• Auditing environment for hard-coded secrets
• Running AI coding agents in sandboxed environments
• Using trusted publishing to push packages to npm and PyPI
• Securing the open-source development pipeline with two-factor authentication (2FA)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33634 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply necessary mitigations by April 9, 2026.

Attribution and Follow-up Activity

Evidence indicates that TeamPCP has shifted focus toward monetizing existing credential harvests by teaming up with other financially motivated groups like Vect, LAPSUS$, and ShinyHunters. The threat actor has launched a proprietary ransomware operation under the name CipherForce.

The group has been found to verify stolen credentials using TruffleHog, launch discovery operations within 24 hours of validation, exfiltrate more data, and attempt lateral movement to gain access to broader networks.

"The credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data," said Wiz researchers. "While the speed at which they were used suggests that it was the work of the same threat actors responsible for the supply chain operations, we are not able to rule out the secrets being shared with other groups and used by them."

Charles Carmakal, chief technology officer of Mandiant Consulting at Google, emphasized the severity of the situation: "The number of recent software supply chain attacks is overwhelming. Defenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future attacks."