OpenAI Discloses Impact from Axios Supply Chain Compromise
OpenAI disclosed on Friday that it is among numerous organizations affected by a recent supply chain attack targeting the widely used Axios JavaScript library. Cybersecurity researchers have attributed the campaign to North Korean hackers, specifically the threat group known as UNC1069. The company detailed its investigation, remediation steps, and root cause analysis in a blog post published that same day.
What Is Axios and Why Does It Matter?
Axios is a popular open source JavaScript HTTP client library used to make requests in both web and Node.js applications. With more than 100 million weekly downloads, it serves as a dependency in an enormous number of developer projects and production systems worldwide, making it an attractive target for attackers seeking broad reach through a single point of compromise.
How the Attack Unfolded
In late March, attackers successfully compromised the NPM account belonging to a lead Axios maintainer. Using that access, they published two malicious NPM packages engineered to download and execute a cross-platform remote access trojan (RAT) capable of operating on Windows, macOS, and Linux. Although the malicious packages were live for only a few hours before being detected and pulled from the registry, the window proved sufficient for a significant number of organizations to be affected.
OpenAI's Specific Exposure
OpenAI's investigation revealed that a GitHub Actions workflow used in its macOS app-signing process downloaded and executed the trojanized version of Axios — specifically version 1.14.1. The workflow in question had access to a certificate and notarization material used to sign macOS applications, including ChatGPT Desktop, Codex, Codex-cli, and Atlas.
"This certificate helps customers know that software comes from the legitimate developer, OpenAI."
The certificate in question is a trust signal for end users: it assures them that any software they download genuinely originates from OpenAI rather than a malicious third party.
Certificate Risk and Remediation Steps
Despite the severity of the exposure, OpenAI believes that the macOS signing certificate itself was likely not compromised, citing the timing of the payload execution and other investigative factors. Nevertheless, the company decided to revoke and rotate the certificate as a precautionary measure.
The potential consequences of a certificate compromise are significant. An attacker holding a valid signing certificate could use it to sign malicious code and disguise it as legitimate OpenAI software, effectively undermining one of the primary trust mechanisms macOS relies upon.
OpenAI outlined the steps it has taken to contain the risk:
- New software notarizations using the old certificate have been halted, meaning any new software signed with the old certificate by an unauthorized party would be blocked by default macOS security protections — unless a user explicitly chooses to bypass them.
- Starting May 8th, 2026, new downloads and launches of applications signed with the previous certificate will be fully blocked by macOS security protections once the certificate is formally revoked.
Scale of the Broader Attack
The precise number of Axios users impacted across the ecosystem remains unclear, but early data from cybersecurity firms paints a concerning picture. Huntress found evidence of compromise on 135 machines, while cloud security firm Wiz observed the malicious version of Axios executing in 3% of affected environments it monitored.
North Korean Attribution and Threat Actor Motives
Cybersecurity experts have attributed the Axios supply chain attack to UNC1069, a North Korean-linked threat group. While the intelligence-gathering potential of a broad supply chain compromise would typically align with espionage objectives, UNC1069 is primarily known for cryptocurrency theft and other financially motivated schemes rather than traditional state-sponsored espionage.
This distinction raises questions about the ultimate intent behind the operation — whether the attackers were primarily seeking financial gain via access to sensitive signing certificates, building a foothold for future monetization, or pursuing a dual-purpose campaign with both financial and intelligence components.
Context Within a Broader Threat Landscape
The Axios incident is part of a growing pattern of supply chain attacks targeting the NPM ecosystem and developer toolchains. Similar recent campaigns include the Telnyx attack linked to the TeamPCP supply chain compromise and malicious Strapi NPM packages aimed at Guardarian users. These incidents collectively underscore the risk that open source dependencies introduce into even the most security-conscious organizations — including AI companies like OpenAI that operate at significant scale.
For developers and security teams, the episode serves as a reminder to monitor dependency updates carefully, implement integrity verification for build pipelines, and apply the principle of least privilege to any workflow that has access to sensitive credentials like code-signing certificates.
Source: SecurityWeek