OpenAI Revokes macOS App Certification After Malicious Axios Supply Incident

OpenAI disclosed the GitHub Actions workflow used to sign its macOS applications that led to the malicious Axios library download on March 31, but noted that no user data or internal systems were compromised.

“Out of an abundance of caution, we are taking steps to protect the process that ensures our macOS apps are legitimate OpenAI apps,” OpenAI said in a post last week. “We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was modified.”

The disclosure comes a little over a week after the Google Threat Intelligence Group (GTIG) revealed that the popular npm package is being sold by a North Korean hacker group that goes by the name UNC1069.

The attack enabled malicious actors to hijack the package maintainer’s npm account to push two poisoned versions 1.14.1 and 0.30.4 that came embedded with a malicious dependency called “plain-crypto-js,” which included a cross-platform backdoor called WAVESHAPER.V2 to infect Windows, macOS, and Linux systems.

The Artificial Intelligence (AI) company said the GitHub Actions workflow it uses as part of its macOS app signing process downloaded and deployed Axios version 1.14.1. The workflow, it added, had access to the certificate and credentials used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas.

“Our analysis of this incident concluded that the signing certificate present in this workflow may not have been successfully released from the dangerous load due to the timing of the payment release, the injection of the certificate into the job, the sequence of the job itself, and other mitigating factors,” the company said.

Despite finding no evidence of a data leak, OpenAI said it treats the certificate as compromised and is revoking and circulating it. As a result, older versions of all macOS desktop applications will no longer receive updates or support as of May 8, 2026.

This also means that applications signed with the previous certificate will be blocked by macOS protection by default, preventing them from being downloaded or launched. The original signed releases and their updated certificate are listed below –

• ChatGPT Desktop – 1.2026.071
• Codex App – 26.406.40811
• Codex CLI – 0.119.0
• Atlas – 1.2026.84.2

As part of its maintenance efforts, OpenAI is working with Apple to ensure that software signed with a previous certificate cannot be updated. The 30-day window until May 8, 2026, is a way to minimize user disruption and give them enough time to ensure they upgrade to the latest version, it revealed.

“In the event that the certificate is successfully compromised by a malicious actor, they can use it to sign their own code, making it appear as legitimate OpenAI software,” OpenAI said. “We set up notification of new software using the old certificate, so new software signed with the old certificate by an unauthorized third party will be automatically blocked by MacOS security protection unless the user explicitly overrides it.”

Supply Chain Attacks Rock March

The breach of Axios, one of the most widely used HTTP client libraries, was one of two major attacks in March targeting the open source ecosystem. Another incident targeted Trivy, a vulnerability scanner maintained by Aqua Security, resulting in the corruption of five environments, affecting a number of other popular libraries.

The attack, the work of a hacker group called TeamPCP (also known as UNC6780), was used by a hacker called SANDCLOCK that facilitated the extraction of sensitive data from developer sites. Later, malicious actors used the stolen information to compromise npm packages and push a self-propagating worm called CanisterWorm.

Days later, the team used secrets taken from Trivy’s intrusion to inject the same malware into two GitHub Actions workflows maintained by Checkmarx. Threat actors then followed it up by publishing malicious versions of LiteLLM and Telnyx on the Python Package Index (PyPI), both of which use Trivy in their CI/CD pipeline.

“The Telnyx compromise reflects a continuing shift in the strategies used in TeamPCP’s supply chain operations, with adjustments to tools, delivery methods, and platform deployments,” Trend Micro said in an analysis of the attack.

“In just eight days, the actor has implemented security scanners, AI infrastructure, and is now using communication tools, changing its delivery from inline Base64 to .pth auto-execution, and finally splitting the WAV steganography file, while also expanding from Linux-only to two-platform targeting with the insistence of Windows.”

In Windows systems, the hacking of the Telnyx Python SDK led to the use of an executable called “msbuild.exe” that uses several obfuscation techniques to avoid detection and extract DonutLoader, a shellcode loader, from a PNG image present inside the binary to load the full-featured bexptisource2 associated with Adaconjan and Adacon. command and control (C2) framework.

Further analysis of the campaign, now identified as CVE-2026-33634, has been published by various cybersecurity vendors –

TeamPCP’s chain of compromise may have come to an end, but the group has shifted its focus to monetizing the existing crop in collaboration with other financially motivated groups such as Vect, LAPSUS$, and ShinyHunters. Evidence shows that the threat actor has relaunched a ransomware program under the name CipherForce.

These efforts coincided with TeamPCP’s use of stolen data to access cloud and software-as-a-service (SaaS) environments, marking a newly discovered expansion of the campaign. To that end, the cybercriminal group was found to be verifying stolen credentials using TruffleHog, launching recovery operations within 24 hours of verification, exfiltrating additional data, and attempting coordinated moves to gain access to the wider network.

“Information and secrets stolen from supply chain planning were quickly verified and used to audit target locations and extract additional information,” Wiz investigators said. “While the speed with which it was used indicates that it was the work of malicious actors in the supply chain, we cannot rule out secrets being shared with other groups and being used by them.”

Attacking Ripple Through Dependencies

Google warned that “hundreds of thousands of stolen secrets” may have been spread as a result of the attacks on Axios and Trivy, fueling an increase in software attacks, SaaS environment compromises, ransomware and extortion events, and cryptocurrency theft in the short term.

The two organizations that have confirmed the compromise of the Trivy supply chain attack are Artificial Intelligence (AI) data training startup Mercor and the European Commission. Although the company did not share details about the impact, the LAPSUS$ fraud group listed Mercor on its leak site, claiming to have leaked around 4TB of data. The Mercor breach led Meta to suspend its work with the company, according to a report from WIRED.

Earlier this month, CERT-EU revealed that threat actors used a stolen AWS password to extract data from the Commission’s cloud environment. This includes data relating to websites hosted by up to 71 clients of the Europa web hosting service and outgoing email communications. The ShinyHunters group has released publicly the classified dataset from its dark web leak.

GitGuardian’s analysis of the Trivy and LiteLLM supply chain attacks and their spread through dependencies and automated pipelines found that 474 public repositories used malicious code in the vulnerable “trivy-action” workflow, and 1,750 Python packages were configured to automatically pull poisoned versions.

“TeamPCP deliberately targets security tools that operate with elevated privileges by design. Compromising them gives an attacker access to some of the most critical areas in an organization, because security tools are often given broad access by design,” Brett Leatherman, assistant director of the Cyber ​​​​Division at the US Federal Bureau of Investigation (FBI), wrote on LinkedIn.

Supply chain incidents are dangerous because they focus on what developers think of when downloading packages and dependencies from open source repositories. “Trust was taken where it should have been trusted,” said Mark Lechner, chief security officer at Docker.

“Organizations that experienced these incidents with minimal damage had begun to replace implicit trust with implicit authentication at all their layers: verified base images instead of community pulls, pinned references instead of dynamic tags, available and short-lived credentials instead of long-lived tokens, and sandboxed execution environments instead of extensive CI.”

Both the Docker maintainers and the Python Package Index (PyPI) have revealed a long list of recommendations that developers can use to combat such attacks –

• Pin packages with a flag or SHA instead of changeable tags.
• Use Docker Hard Images (DHI).
• Use the release age settings to delay the adoption of new versions for dependency updates.
• Treat every CI runner as a potential breaking point and avoid pull_request_targe triggers in GitHub Actions unless absolutely necessary.
• Use short-term, narrow-scope credentials.
• Use an internal mirror or artifact proxy.
• Use canary tokens to be alerted to possible extraction attempts.
• Audit is a place of hard-coded secrets.
• Run AI coding agents in sandboxed environments.
• Use reliable publishing to push packages to npm and PyPI.
• Secure your open source development pipeline with two-factor authentication (2FA).

The Cybersecurity and Infrastructure Security Agency (CISA) of the US has also added CVE-2026-33634 to its catalog known as Known Exploited Vulnerabilities (KEV), authorizing the Federal Civilian Executive Branch (FCEB) to implement the necessary mitigations by April 9, 2026.

“The number of recent software attacks is enormous,” said Charles Carmakal, chief technology officer of Mandiant Consulting at Google. “Defenders must take a close look at these campaigns. Businesses must establish dedicated projects to assess the impact, remediate, and strengthen against future attacks.”