OpenAI Responds to Axios Library Compromise: Key Details and Implications
In a significant disclosure made on March 31, OpenAI unveiled that a GitHub Actions workflow associated with the signing of its macOS applications had inadvertently triggered the download of a compromised version of the Axios library, raising concerns across the developer community. However, the company emphasized that no user data nor internal systems were breached during this incident.
OpenAI issued a statement indicating that, "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps." The statement reassured users that there was no evidence indicating unauthorized access to OpenAI’s user data, systems, intellectual property, or alterations to their software.
This announcement closely followed a report from Google Threat Intelligence Group (GTIG), which associated the supply chain attack on the widely-utilized npm package Axios with a hacking group from North Korea designated as UNC1069. This attack effectively enabled criminals to hijack the npm account of the package maintainer, allowing them to introduce two compromised versions—1.14.1 and 0.30.4—each embedded with a malicious dependency called "plain-crypto-js." This malicious code initiated a cross-platform backdoor known as WAVESHAPER.V2 that targeted Windows, macOS, and Linux systems.
OpenAI elaborated that its GitHub Actions workflow, integral to the macOS app-signing process, downloaded and executed the compromised Axios version 1.14.1. This workflow had access to critical certificate and notarization materials essential for signing various applications, including ChatGPT Desktop, Codex, Codex CLI, and Atlas.
According to OpenAI’s analysis, although the malicious payload executed, there was no indication that the signing certificate linked to this workflow had been successfully exfiltrated. This conclusion stemmed from the timing of the payload execution, the method of certificate injection into the job, and a series of other mitigating factors.
In light of their findings, OpenAI decided to treat the certificate as compromised. Thus, the company will revoke and rotate the certificate, leading to the termination of updates and support for older versions of all its macOS desktop applications starting May 8, 2026. Applications signed with the prior certificate will be blocked by macOS security protections, meaning users would be unable to download or launch them unless they bypass these security measures.
OpenAI listed the initial releases signed with the new certificate to help users transition smoothly:
- ChatGPT Desktop: Version 1.2026.071
- Codex App: Version 26.406.40811
- Codex CLI: Version 0.119.0
- Atlas: Version 1.2026.84.2
Furthermore, OpenAI is collaborating with Apple to ensure that programs signed with the previous certificate cannot be notarized in the future. This transition period until May 2026 is intended to minimize disruption for users, providing ample opportunity to upgrade to the latest versions.
The company emphasized the potential risks had the certificate been compromised by malicious actors; they could have used it to sign their own code, giving it the appearance of official OpenAI software. OpenAI has halted all new software notarizations using the prior certificate, making any unauthorized new software signed with it default to being blocked by macOS security protocols.
Parallel Supply Chain Attacks
The Axios library incident was just one of two major supply chain attacks that occurred in March, aiming at the open-source ecosystem. The second incident targeted Trivy, a vulnerability scanner managed by Aqua Security. This attack had cascading implications across five different ecosystems, affecting numerous other libraries that relied on it.
The cybercriminal group TeamPCP, also known as UNC6780, was responsible for this Trivy attack, deploying a credential stealer named SANDCLOCK that facilitated the extraction of sensitive data from developer environments. Subsequently, the stolen credentials were weaponized to compromise npm packages and instigate a self-propagating worm named CanisterWorm.
Just days later, TeamPCP exploited credentials resulting from the Trivy breach to inject malicious code into two GitHub Actions workflows maintained by Checkmarx. Following this, they published infected versions of LiteLLM and Telnyx to the Python Package Index (PyPI)—both of which used Trivy in their CI/CD pipelines.
Experts have noted a shift in techniques used by TeamPCP, indicating an evolution in their delivery methods and platforms affected. The ramifications of these attacks ripple through dependencies, as a plethora of stolen secrets could lead to further incidents in the near term.
Both Docker and PyPI maintainers have provided extensive recommendations for developers to counteract such compromises. These include pinning packages by immutable identifiers, employing secure images, treating CI runners as potential breach points, and implementing robust credential management through the use of short-lived tokens.
The urgency for heightened security measures is echoed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added the incidents related to these supply chain attacks to its Known Exploited Vulnerabilities catalog, establishing a deadline for Federal agencies to apply necessary mitigations.
Conclusion
As organizations face increasing threats from sophisticated cybercriminal groups, the Axios incident serves as a stark reminder of the vulnerabilities inherent within the software supply chain. The need to shift from implicit trust to rigorous verification processes is paramount for safeguarding both user data and intellectual property. As the landscape of cyber threats evolves, security will undoubtedly remain a top priority for organizations worldwide.