Full Report
OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack. [...]
Analysis Summary
# Incident Report: OpenAI macOS Code-Signing Certificate Rotation
## Executive Summary
OpenAI initiated an emergency rotation of macOS code-signing certificates following a supply chain attack involving the compromised `axios` npm package. On March 31, 2026, a legitimate GitHub Actions workflow at OpenAI executed a malicious version of Axios (v1.14.1), which had been hijacked by North Korean threat actors (UNC1069). While no evidence of certificate theft or data breach was found, OpenAI is revoking the certificates out of caution to prevent potential unauthorized app notarization.
## Incident Details
- **Discovery Date:** Following the Axios supply chain disclosure (circa late March/early April 2026)
- **Incident Date:** March 31, 2026
- **Affected Organization:** OpenAI
- **Sector:** Technology / Artificial Intelligence
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 31, 2026
- **Vector:** Supply Chain Compromise (Malicious Dependency)
- **Details:** A GitHub Actions workflow used for building OpenAI macOS applications downloaded and executed version 1.14.1 of the `axios` package, which contained a Remote Access Trojan (RAT).
### Lateral Movement
- **Details:** The malicious package executed within the CI/CD environment (GitHub Actions). This environment had legitimate access to code-signing certificates used for macOS applications.
### Data Exfiltration/Impact
- **Details:** No evidence was found that certificates were exfiltrated, nor was OpenAI user data or IP compromised. However, the presence of the RAT in a sensitive build environment created the risk of certificate exposure.
### Detection & Response
- **Detection:** Discovered via intelligence regarding the broader Axios npm package compromise.
- **Response:** OpenAI engaged a third-party incident response firm, audited notarization logs, and began a phased revocation and rotation of the affected macOS signing certificate.
## Attack Methodology
*Note: This methodology describes the upstream Axios compromise that impacted OpenAI.*
- **Initial Access:** Social engineering (fake web conference/collaboration) against an Axios maintainer.
- **Persistence:** Remote Access Trojan (RAT) installed on maintainer's machine.
- **Privilege Escalation:** Not specified; likely utilized maintainer's local npm credentials.
- **Defense Evasion:** Use of legitimate npm update channels to distribute malware.
- **Credential Access:** Theft of npm publishing credentials from the project maintainer.
- **Discovery:** Automated execution within downstream CI/CD pipelines (like OpenAI's).
- **Lateral Movement:** Supply chain injection into downstream developer environments.
- **Collection:** N/A (OpenAI investigation found no evidence of data collection).
- **Exfiltration:** Potential exfiltration of environment variables or secrets by the Axios RAT.
- **Impact:** Potential for unauthorized software signing and notarization.
## Impact Assessment
- **Financial:** Costs associated with third-party incident response and manual certificate rotation.
- **Data Breach:** None confirmed.
- **Operational:** Disruption for macOS users who must update apps (ChatGPT Desktop, Codex, Atlas) before May 8, 2026.
- **Reputational:** Minimal, though highlights vulnerability to upstream open-source dependencies.
## Indicators of Compromise
- **File indicators:** `axios` version 1.14.1 (malicious npm package).
- **Behavioral indicators:** Unauthorized execution of scripts during GitHub Actions workflows; network callbacks to UNC1069 infrastructure.
- **Actor:** UNC1069 (North Korean linked).
## Response Actions
- **Containment:** Isolated the affected GitHub Actions workflow and audited build logs.
- **Eradication:** Removed the malicious Axios dependency from all internal workflows.
- **Recovery:** Rotating macOS code-signing certificates and releasing new versions of ChatGPT Desktop, Codex, Codex CLI, and Atlas.
- **Coordination:** Collaborated with Apple to ensure the old certificate is revoked and cannot be used for future notarization.
## Lessons Learned
- **Dependency Risk:** Even highly secured organizations are vulnerable to a single compromised "leaf" dependency in the open-source ecosystem.
- **Build Environment Isolation:** Code-signing secrets within CI/CD pipelines must be strictly scoped and monitored for any anomalous activity during the build process.
- **Proactive Revocation:** Rotating secrets and certificates "out of an abundance of caution"—even without proof of theft—is a best practice to maintain long-term trust.
## Recommendations
- **Dependency Pinning:** Use lockfiles (e.g., `package-lock.json`) and consider pinning dependencies to specific hashes (SHAs) rather than version numbers.
- **Software Bill of Materials (SBOM):** Implement continuous SBOM scanning to detect known compromised versions of packages in real-time.
- **Isolated Build Runners:** Use ephemeral, isolated runners for sensitive tasks like code signing, ensuring that secrets are only exposed to the minimum necessary code.