What Happened: Malicious Axios Package Reached OpenAI's Build Pipeline
OpenAI has begun revoking and rotating its macOS code-signing certificates following a supply chain incident in which a GitHub Actions workflow inadvertently downloaded and executed a tampered version of the popular Axios npm package. The event took place on March 31, 2026, when the legitimate workflow pulled Axios version 1.14.1 — a release that had been poisoned as part of a broader software supply chain campaign.
The affected workflow held access to code-signing certificates used to authenticate several of OpenAI's macOS applications, including ChatGPT Desktop, Codex, Codex CLI, and Atlas. Although OpenAI's subsequent investigation turned up no concrete proof that the certificates were actually exfiltrated, the company chose to treat them as potentially compromised and initiated a full rotation.
OpenAI's Official Statement
"Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps. We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered. We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions."
The company engaged a third-party incident response firm to assist with the investigation. Researchers reviewed prior notarization activity linked to the certificate and confirmed that every piece of software signed with it was authentic. Despite those reassuring findings, the potential risk of leaving the old certificate active was deemed too significant to ignore.
Why Certificate Rotation Matters
Even without confirmed theft, a compromised code-signing certificate in the wrong hands would be a serious threat. An adversary holding such a credential could sign their own malicious macOS binaries in a way that makes them appear to be genuine OpenAI software, potentially bypassing user suspicion and Apple's own trust mechanisms.
To close that window of risk, OpenAI is collaborating directly with Apple to ensure that no future software can be notarized using the previous certificate. The full revocation is scheduled for May 8, 2026, at which point macOS protections will actively block attempts to launch any application still signed with the old credential.
What macOS Users Need to Do
OpenAI has made clear that action is required from users running its macOS applications. Apps signed with the outdated certificate may cease to function after May 8, 2026, so updating before that deadline is critical. The company recommends the following steps:
- Update affected apps through each application's built-in update feature.
- Download the latest versions only from OpenAI's official download pages.
- Avoid installing software promoted through email links, online advertisements, or third-party distribution sites.
OpenAI stressed that the incident is confined to its macOS application ecosystem. Web services, iOS, Android, Windows, and Linux apps are unaffected. Additionally, user accounts, passwords, and API keys were not impacted by the incident.
The Axios Supply Chain Attack and North Korean Threat Actors
The broader campaign that introduced the malicious Axios package has been attributed to North Korean threat actors tracked as UNC1069. Researchers say the group executed a social engineering operation targeting one of the Axios project's maintainers.
The attack began with a fabricated web conference call that resulted in the installation of malware on the maintainer's system. With that foothold established, UNC1069 gained unauthorized access to the maintainer's npm account and published the weaponized versions of Axios to the npm registry.
The malicious package embedded a dependency designed to install a remote access trojan (RAT) capable of running on macOS, Windows, and Linux. This cross-platform capability made the attack particularly far-reaching.
Broader Campaign Tactics
Security researchers tracking UNC1069 found that the group relied on elaborate fake collaboration scenarios to approach developers. These included:
- Convincing Slack workspaces crafted to look like legitimate professional environments.
- Fraudulent Microsoft Teams calls used to build rapport and trust.
- Staged collaboration setups designed to coerce developers into executing malware.
The malware deployed through these social engineering lures ultimately led to credential theft and enabled further downstream supply chain compromises. Analysts believe this activity is part of a larger, ongoing campaign by North Korean state-linked actors to infiltrate widely used open-source projects and weaponize them for mass distribution.
OpenAI's Ongoing Monitoring
OpenAI has stated it will continue actively monitoring for any indicators that the now-deprecated certificate is being abused in the wild. Should suspicious activity surface before the scheduled revocation date, the company says it reserves the right to accelerate the May 8 timeline and revoke the certificate earlier than planned.
The incident highlights the persistent danger that software supply chain attacks pose even to sophisticated technology organizations, and underscores why automated build workflows require rigorous controls around the dependencies they consume and the credentials they can access.
Source: BleepingComputer