OpenAI has revoked the certificate used to sign its macOS applications after discovering that a GitHub Actions workflow involved in the signing process downloaded a compromised version of the Axios library. The incident, which occurred on March 31, was linked to a wider supply chain attack targeting open source ecosystems. Despite the exposure, the company stated that no user data, internal systems, or intellectual property were affected. The decision to revoke and rotate the certificate was described as a precautionary move to maintain the integrity of its software distribution process and prevent any potential misuse.
The compromised Axios package, identified as versions 1.14.1 and 0.30.4, had been altered by attackers who gained control of the maintainer’s npm account. The malicious versions included a dependency called plain crypto js, which deployed a cross platform backdoor known as WAVESHAPER V2. This malware was capable of targeting Windows, macOS, and Linux environments. OpenAI confirmed that its workflow executed the infected version as part of an automated process that also had access to sensitive signing and notarization credentials used for ChatGPT Desktop, Codex, Codex CLI, and Atlas applications. However, internal analysis suggested that the certificate was likely not exfiltrated due to timing, sequencing, and other safeguards built into the workflow.
As part of its response, OpenAI is working with Apple to ensure that software signed with the revoked certificate cannot be newly notarized. Older versions of its macOS applications will stop receiving updates and support after May 8, 2026, and systems will block apps signed with the previous certificate by default unless users manually override security settings. Updated versions of the applications have already been released with a new certificate, and users are being encouraged to upgrade within the transition window to avoid disruptions.
The Axios compromise was one of two major supply chain attacks reported in March, alongside a separate incident involving the Trivy vulnerability scanner. That campaign, attributed to a group known as TeamPCP, led to the deployment of credential stealing malware and a self propagating worm across multiple ecosystems. Attackers leveraged stolen credentials to infiltrate additional tools and pipelines, including GitHub Actions workflows and Python packages such as LiteLLM and Telnyx. Security researchers observed rapid lateral movement, data exfiltration, and evolving attack techniques, including obfuscation and steganography to evade detection.
Industry analysis suggests that these attacks may have exposed hundreds of thousands of secrets, increasing the risk of further compromises across cloud and SaaS environments. Organizations including Mercor and the European Commission have confirmed breaches linked to the Trivy incident, with stolen data later appearing on dark web platforms. Experts warn that such attacks exploit implicit trust in open source dependencies and automated pipelines, emphasizing the need for stricter verification practices, short lived credentials, and hardened development environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
