OpenAI Responds to Widespread Supply-Chain Compromise
OpenAI has updated its security certificates and is mandating that all macOS users upgrade to the latest versions of its applications, after confirming that its products were among many caught up in a broad supply-chain attack that briefly corrupted a popular open-source library in late March. The company disclosed the incident in a blog post published Friday.
Despite the severity of the underlying attack, OpenAI stated it "found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered." Even so, the company is taking a precautionary stance on a certificate it uses to sign macOS applications.
How the Axios Attack Unfolded
The root of the incident traces back to Axios, a widely used JavaScript HTTP library. A North Korean hacking group, tracked by Google Threat Intelligence Group as UNC1069, compromised the personal computer of Jason Saayman, the lead maintainer of Axios, through social engineering. The attackers then seized control of Saayman's npm and GitHub accounts, allowing them to inject malware into two versions of the library.
Saayman confirmed that the malicious versions of Axios were live for approximately three hours before they were identified and removed. While brief, the exposure window was enough to trigger downstream concerns across a large portion of the software ecosystem. Google Threat Intelligence Group noted that the impact of the attack was broad, with ripple effects potentially exposing other popular packages. The JavaScript libraries in question flow into dependent downstream software through more than 100 million and 83 million downloads weekly, respectively.
Why OpenAI Is Treating Its Certificate as Compromised
A GitHub workflow that OpenAI relies upon to sign certificates for its macOS applications downloaded and executed the malicious version of Axios during the attack window. This placed the signing certificate — a cryptographic credential that helps users verify they are downloading legitimate software — in a potentially exposed state.
OpenAI was careful to clarify, however, that the malware did not directly steal the certificate. The company explained in its blog post:
"The signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors."
Nevertheless, citing an abundance of caution, OpenAI confirmed it is revoking and rotating the affected certificate. The company identified a misconfiguration in its GitHub workflow as the root cause of its exposure and said that error has since been corrected.
What This Means for macOS Users
OpenAI has set May 8 as the date on which the compromised certificate will be fully revoked. Older versions of its macOS applications will lose functionality and will no longer receive support after that deadline. The 30-day window was deliberately chosen to minimize disruption for end users, though OpenAI stated it will accelerate the revocation timeline if any malicious activity is detected before then.
In addition to correcting its internal workflow misconfiguration, OpenAI said it worked directly with Apple to ensure that fraudulent applications impersonating OpenAI cannot leverage the impacted certificate. A third-party digital forensics and incident response firm was also brought in to assist with the investigation and ongoing response efforts.
A Broader Pattern of Open-Source Attacks
The Axios compromise did not occur in isolation. The attack was discovered just weeks after a separate series of incidents in which other open-source tools — including Trivy — were compromised by a different threat actor, UNC6780, also known as TeamPCP. Those intrusions resulted in aggressive extortion attempts targeting affected organizations.
Taken together, these incidents underscore a growing trend of sophisticated, state-linked threat actors targeting the open-source software supply chain as a high-leverage attack vector, exploiting the trust developers place in widely adopted libraries and the maintainers behind them.
Key Takeaways
- Who was behind the attack: North Korean hacking group UNC1069, as tracked by Google Threat Intelligence Group
- What was compromised: Two versions of the Axios JavaScript library, via the hijacked accounts of lead maintainer Jason Saayman
- How long the malicious versions were live: Approximately three hours
- OpenAI's exposure: A GitHub Actions workflow used to sign macOS app certificates executed the malicious Axios code
- Action required: All macOS OpenAI app users must update before May 8, 2025, when the old certificate is revoked
- User data status: OpenAI found no evidence of user data access, system compromise, or software tampering
Source: CyberScoop