Full Report
The company said a developer tool automatically retrieved a malicious version of the popular open-source library, but insists the integrity of its systems and software were not impacted. The post OpenAI’s Mac apps needs an update thanks to the Axios hack appeared first on CyberScoop.
Analysis Summary
# Incident Report: OpenAI macOS Application Certificate Compromise
## Executive Summary
OpenAI’s macOS applications were impacted by a significant supply-chain attack targeting the Axios open-source library. A North Korean threat actor (UNC1069) compromised the library's maintainer to inject malware into the npm package, which was then automatically retrieved by OpenAI’s developer workflows. While OpenAI found no evidence of data exfiltration or system breach, they are revoking their macOS signing certificate as a precautionary measure, requiring all Mac users to update their apps.
## Incident Details
- **Discovery Date:** Late March 2026 (General Axios compromise); April 2026 (OpenAI specific disclosure)
- **Incident Date:** Late March 2026
- **Affected Organization:** OpenAI
- **Sector:** Artificial Intelligence / Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Late March 2026
- **Vector:** Supply Chain / Social Engineering
- **Details:** North Korean threat group UNC1069 used social engineering to compromise the computer of the lead maintainer for the "Axios" open-source library. This allowed the attackers to take over his npm and GitHub accounts.
### Lateral Movement
- **Details:** The attackers uploaded malicious versions of the Axios library to the npm registry. These versions were live for approximately three hours. OpenAI’s GitHub workflow—used for building and signing macOS applications—automatically downloaded and executed the malicious library during a routine build process.
### Data Exfiltration/Impact
- **Details:** The malicious payload was designed to exfiltrate sensitive data, specifically targeting signing certificates. OpenAI reports that the certificate was likely **not** successfully exfiltrated due to the timing of the execution and existing job sequencing, but the integrity of the build environment was technically violated.
### Detection & Response
- **Detection:** Discovered via security researchers and Google Threat Intelligence Group (UNC1069 tracking) following the broader Axios package compromise.
- **Response:** OpenAI hired a third-party forensics firm, identified a GitHub workflow misconfiguration, rotated security certificates, and issued a mandatory update for macOS users.
## Attack Methodology
- **Initial Access:** Social engineering of an upstream open-source maintainer.
- **Persistence:** Not applicable to OpenAI (transient build environment).
- **Privilege Escalation:** Compromise of maintainer accounts (GitHub/npm).
- **Defense Evasion:** Use of legitimate software distribution channels (npm) to bypass traditional perimeter security.
- **Credential Access:** Compromise of the Axios maintainer’s credentials.
- **Discovery:** Automated execution within CI/CD pipelines.
- **Lateral Movement:** Supply chain injection (Upstream to Downstream).
- **Collection:** Targeting of application signing certificates.
- **Exfiltration:** Attempted exfiltration via malicious scripts within the npm package.
- **Impact:** Forced revocation of software certificates and required patching for the entire macOS user base.
## Impact Assessment
- **Financial:** Costs associated with third-party forensics and developer time for remediation.
- **Data Breach:** None confirmed; no evidence of user data or IP theft.
- **Operational:** Disruption to developer workflows; mandatory update requirement for all Mac app users.
- **Reputational:** Moderate; highlights risks in OpenAI’s automated build pipeline.
## Indicators of Compromise
- **Network indicators:** Connections to known UNC1069 command-and-control infrastructure (not specified in text).
- **File indicators:** Malicious versions of Axios library (npm).
- **Behavioral indicators:** Unauthorized automated execution of scripts during GitHub Action workflows.
## Response Actions
- **Containment:** Corrected the GitHub workflow misconfiguration that allowed the retrieval of the malicious package.
- **Eradication:** Revoked the potentially compromised macOS signing certificate.
- **Recovery:** Issued new certificates and pushed updated versions of macOS applications; coordinated with Apple to prevent the use of the old certificate by fraudulent apps.
## Lessons Learned
- **Upstream Trust:** Even highly popular libraries (100M+ weekly downloads) can be compromised through a single maintainer.
- **Workflow Security:** CI/CD pipelines must have strict controls over dependency versioning and verification (e.g., using lockfiles or integrity hashes).
- **Timing:** Rapid response by the package maintainer (3-hour window) significantly limited the window for successful data exfiltration.
## Recommendations
- **Pin Dependencies:** Use specific version pinning and subresource integrity (SRI) checks for all external libraries to prevent automatic retrieval of malicious "latest" versions.
- **Least Privilege for CI/CD:** Ensure build environments have restricted network access to prevent exfiltration of secrets if a dependency is compromised.
- **Software Bill of Materials (SBOM):** Maintain a clear SBOM to quickly identify where compromised libraries are used across the organization's product suite.