OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised.

“Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps,” OpenAI said in a post last week. “We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered.”

The disclosure comes a little over a week after Google Threat Intelligence Group (GTIG) attributed the supply chain compromise of the popular npm package to a North Korean hacking group it tracks as UNC1069.

The attack enabled the threat actors to hijack the package maintainer’s npm account to push two poisoned versions 1.14.1 and 0.30.4 that came embedded with a malicious dependency named “plain-crypto-js,” which deployed a cross-platform backdoor called WAVESHAPER.V2 to infect Windows, macOS, and Linux systems.

The artificial intelligence (AI) company said a GitHub Actions workflow it uses as part of its macOS app-signing process downloaded and executed Axios version 1.14.1. The workflow, it added, had access to a certificate and notarization material used for signing ChatGPT Desktop, Codex, Codex CLI, and Atlas.

“Our analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors,” the company said.

Despite finding no evidence of data exfiltration, OpenAI said it’s treating the certificate as compromised and that it’s revoking and rotating it. As a result, older versions of all its macOS desktop apps will no longer receive updates or support starting May 8, 2026.

This also means that apps signed with the previous certificate will be blocked by macOS security protections by default, preventing them from being downloaded or launched. The earliest releases signed with their updated certificate are listed below –

• ChatGPT Desktop – 1.2026.071
• Codex App – 26.406.40811
• Codex CLI – 0.119.0
• Atlas – 1.2026.84.2

As part of its remediation efforts, OpenAI is also working with Apple to ensure software signed with the previous certificate cannot be newly notarized. The 30-day window till May 8, 2026, is a way to minimize user disruption and give them enough time to make sure they are updated to the latest version, it pointed out. 

“In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software,” OpenAI said. “We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third-party would be blocked by default by macOS security protections unless a user explicitly bypasses them.”

The breach of Axios, one of the most widely used HTTP client libraries, was one of the two major supply chain attacks that took place in March aimed at the open-source ecosystem. The other incident targeted Trivy, a vulnerability scanner maintained by Aqua Security, resulting in cascading impacts across five ecosystems, affecting a number of other popular libraries depending on it.

The attack, the work of a cybercriminal group called TeamPCP (aka UNC6780), deployed a credential stealer dubbed SANDCLOCK that facilitated the extraction of sensitive data from developer environments. Subsequently, the threat actors weaponized the stolen credentials to compromise npm packages and push a self-propagating worm named CanisterWorm.

Days later, the crew used secrets pilfered from the Trivy intrusion to inject the same malware into two GitHub Actions workflows maintained by Checkmarx. The threat actors then followed it up by publishing malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI), both of which use Trivy in their CI/CD pipeline.

“The Telnyx compromise indicates a continued change in the techniques used in TeamPCP’s supply chain activity, with adjustments to tooling, delivery methods, and platform coverage,” Trend Micro said in an analysis of the attack.

“In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling, evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence.”

On Windows systems, the hack of the Telnyx Python SDK resulted in the deployment of an executable named “msbuild.exe” that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework.

Additional analyses of the campaign, now identified as CVE-2026-33634, have been published by various cybersecurity vendors –

TeamPCP’s supply chain compromise rampage may have come to an end, but the group has since shifted its focus towards monetizing existing credential harvests by teaming up with other financially motivated groups like Vect, LAPSUS$, and ShinyHunters. Evidence indicates that the threat actor has also launched a proprietary ransomware operation under the name CipherForce.

These efforts have been complemented by TeamPCP’s use of the stolen data to access cloud and software-as-a-service (SaaS) environments, marking a new-found escalation of the campaign. To that end, the cybercrime gang has been found to verify stolen credentials using TruffleHog, launch discovery operations within 24 hours of validation, exfiltrate more data, and attempt lateral movement to gain access to the broader network.

“The credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data,” Wiz researchers said. “While the speed at which they were used suggests that it was the work of the same threat actors responsible for the supply chain operations, we are not able to rule out the secrets being shared with other groups and used by them.”

Attacks Ripple Through Dependencies

Google has warned that “hundreds of thousands of stolen secrets” could potentially be circulating as a result of the Axios and Trivy attacks, fueling more software supply chain attacks, SaaS environment compromises, ransomware and extortion events, and cryptocurrency theft over the near term.

Two organizations that have confirmed compromise through the Trivy supply chain attack are artificial intelligence (AI) data training startup Mercor and the European Commission. While the company has not shared details on the impact, the LAPSUS$ extortion group listed Mercor on its leak site, claiming to have exfiltrated about 4TB of data. The Mercor breach has led Meta to pause its work with the company, according to a report from WIRED.

Earlier this month, CERT-EU revealed that the threat actors used the stolen AWS secret to exfiltrate data from the Commission’s cloud environment. This included data relating to websites hosted for up to 71 clients of the Europa web hosting service and outbound email communications. The ShinyHunters group has since released the exfiltrated dataset publicly on its dark web leak site.

GitGuardian’s analysis of the Trivy and LiteLLM supply chain attacks and their spread through dependencies and automation pipelines has found that 474 public repositories executed malicious code from the compromised “trivy-action” workflow, and 1,750 Python packages were configured in a way that would automatically pull the poisoned versions.

“TeamPCP is deliberately targeting security tools that run with elevated privileges by design. Compromising them gives the attacker access to some of the most sensitive environments in the organization, because security tools are typically granted broad access by design,” Brett Leatherman, assistant director of Cyber Division at the U.S. Federal Bureau of Investigation (FBI), wrote on LinkedIn.

The supply chain incidents are dangerous because they take aim at the inherent trust developers assume when downloading packages and dependencies from open-source repositories. “Trust was assumed where it should have been verified,” Mark Lechner, chief information security officer at Docker, said.

“The organizations that came through these incidents with minimal damage had already begun replacing implicit trust with explicit verification at every layer of their stack: verified base images instead of community pulls, pinned references instead of mutable tags, scoped and short-lived credentials instead of long-lived tokens, and sandboxed execution environments instead of wide-open CI runners.”

Both Docker and the Python Package Index (PyPI) maintainers have outlined a long list of recommendations that developers can implement to counter such attacks –

• Pin packages by digest or commit SHA instead of mutable tags.
• Use Docker Hardened Images (DHI).
• Enforce minimum release age settings to delay adoption of new versions for dependency updates.
• Treat every CI runner as a potential breach point and avoid pull_request_targe triggers in GitHub Actions unless absolutely necessary.
• Use short-lived, narrowly scoped credentials.
• Use an internal mirror or artifact proxy.
• Deploy canary tokens to get alerted to potential exfiltration attempts.
• Audit environment for hard-coded secrets.
• Run AI coding agents in sandboxed environments.
• Use trusted publishing to push packages to npm and PyPI.
• Secure the open-source development pipeline with two-factor authentication (2FA).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2026-33634 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by April 9, 2026.

“The number of recent software supply chain attacks is overwhelming,” Charles Carmakal, chief technology officer of Mandiant Consulting at Google, said. “Defenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future attacks.”