OpenAI rotates macOS certs after Axios attack hit code-signing workflow

OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack. The company said that on March 31, 2026, the legitimate workflow downloaded and executed a compromised Axios package (version 1.14.1) that was used in attacks to deploy malware on devices. That workflow had access to code-signing certificates used to sign OpenAI's macOS apps, including ChatGPT Desktop, Codex, Codex CLI, and Atlas.

While OpenAI says its investigation found no evidence that the signing certificate was compromised, the company is treating it as potentially compromised out of caution and is now revoking and rotating it.

"Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps. We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered," explains an OpenAI security advisory.

"We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions."

macOS users will need to update their apps to versions signed with the new certificate, as older versions may stop working on May 8, 2026. OpenAI worked with a third-party incident response firm to conduct an investigation, which found no evidence that the incident exposed its certificates or that they were used to distribute malicious software. The company also analyzed previous notarization activity linked to the certificate and confirmed that everything signed with it was legitimate.

However, if the attacker obtained the certificate, they could use it to sign their own macOS applications that appear to be legitimately signed by OpenAI. Therefore, to reduce the risk, OpenAI says it is working with Apple to ensure no future software can be notarized with the previous certificate.

OpenAI says that the certificate will be fully revoked on May 8, after which attempts to launch applications signed with it will be blocked by macOS protections.

OpenAI says the issue is limited to its macOS applications and does not affect its web services or apps on iOS, Android, Windows, or Linux. It also says user accounts, passwords, and API keys were not impacted.

Users are advised to update via in-app features or the official download pages, and to avoid installing software from links sent via email, ads, or third-party sites. The company says it will continue monitoring for any signs that the old certificate is being misused and may speed up the revocation timeline if anything suspicious is detected.

The Axios supply chain attack has been linked to North Korean threat actors tracked as UNC1069, who conducted a social engineering campaign against one of the project's maintainers. After conducting a fake web conference call that led to the installation of malware, the threat actors gained access to the maintainer's account and published malicious versions of the Axios package to npm.

This malicious package included a dependency that installed a remote access trojan (RAT) on macOS, Windows, and Linux systems. According to researchers, the attackers approached developers through convincing fake collaboration setups, including Slack workspaces and Microsoft Teams calls, eventually tricking them into installing malware that led to credential theft and downstream supply chain compromises.

The activity has been linked to a larger campaign to compromise popular open-source projects for widespread supply chain attacks.

What happened and why it matters

The attack exploited a trusted GitHub Actions workflow that OpenAI uses to build and sign its macOS applications. When the workflow pulled in the compromised Axios package, it potentially exposed the code-signing certificates that verify OpenAI's software as legitimate. This is particularly concerning because code-signing certificates are the foundation of trust in software distribution - they tell your operating system that an application really comes from the developer it claims to be.

The technical details

Code-signing certificates work by cryptographically signing software binaries. When you download an app on macOS, the operating system checks this signature against Apple's trusted certificate authorities. If the signature is valid and the certificate hasn't been revoked, macOS allows the app to run. By potentially exposing these certificates, attackers could have created malicious software that appears to be legitimately signed by OpenAI.

What OpenAI is doing

OpenAI's response demonstrates a security-first approach. Even without evidence of compromise, they're treating the certificates as potentially exposed and taking decisive action:

• Revoking the old certificate on May 8, 2026
• Rotating to new certificates for all macOS apps
• Working with Apple to prevent notarization of software signed with the old certificate
• Conducting thorough investigations with third-party experts
• Monitoring for any misuse of the compromised certificate

What users need to do

If you use any OpenAI macOS applications, you must update to the latest versions before May 8, 2026. After that date, older versions signed with the revoked certificate will no longer launch due to macOS security protections. Update through the in-app update feature or download the latest versions from OpenAI's official website.

The bigger picture

This incident highlights the growing sophistication of supply chain attacks targeting open-source software. The attackers used social engineering to compromise a maintainer, then leveraged that access to inject malicious code into widely-used packages. The Axios package is downloaded millions of times weekly, making it an attractive target for attackers seeking broad reach.

Lessons learned

This attack underscores several important security principles:

1. Supply chain security is critical - Even trusted workflows can be compromised if dependencies are not carefully vetted
2. Certificate protection is paramount - Code-signing certificates should be treated as highly sensitive assets
3. Defense in depth matters - OpenAI's quick response and thorough investigation limited potential damage
4. User awareness is essential - Users should only download software from official sources and keep applications updated

The Axios attack context

The Axios compromise was part of a larger campaign by UNC1069, a North Korean threat actor group. They've been targeting open-source maintainers through sophisticated social engineering, including fake collaboration platforms and convincing video calls. Once they gain access to a maintainer's account, they can inject malicious code into popular packages, affecting thousands or millions of downstream users.

This pattern of attack has become increasingly common as attackers recognize the leverage point that popular open-source packages provide. A single compromised package can affect countless applications and services that depend on it.

Moving forward

OpenAI's handling of this incident provides a model for responsible security response. By being transparent about the potential exposure, taking precautionary measures even without evidence of compromise, and providing clear guidance to users, they've minimized the risk while maintaining user trust.

The incident also serves as a reminder for all organizations to regularly review and strengthen their supply chain security practices, particularly around the protection of code-signing infrastructure and the vetting of dependencies in automated workflows.

For developers and organizations, this attack reinforces the importance of:

• Implementing strict dependency management policies
• Using tools to detect compromised packages
• Protecting build and signing infrastructure
• Maintaining incident response plans for supply chain compromises
• Educating teams about social engineering tactics

As supply chain attacks continue to evolve in sophistication, organizations must remain vigilant and proactive in their security measures. The cost of prevention is far less than the potential damage from a successful attack on critical infrastructure.