ALL POSTS

Key Findings OpenAI's GitHub Actions workflow downloaded malicious Axios version 1.14.1 on March 31, compromising access to macOS app signing certificates North Korean hacking group UNC1069 hijacked the Axios package maintainer account and injected WAVESHAPER.V2 backdoor into versions 1.14.1 and 0.30.4 OpenAI found no evidence of user data theft, system compromise, or software alteration despite certificate access All macOS versions of ChatGPT Desktop, Codex, Codex CLI, and A

Key Findings Google Threat Intelligence Group attributed the Axios npm supply chain attack to UNC1069, a financially motivated North Korean threat group active since at least 2018 Attackers compromised maintainer Jason Saayman's npm account and published two malicious Axios versions (1.14.1 and 0.30.4) within an hour The attack injected a malicious dependency called "plain-crypto-js" that deployed a cross-platform remote access trojan targeting Windows, macOS, and Linux Given

Key Findings Attackers compromised the npm account of Axios maintainer Jason Saayman and published malicious versions 1.14.1 and 0.30.4 containing a hidden RAT malware dependency The malicious versions injected "plain-crypto-js@4.2.1" as a fake dependency that deploys cross-platform remote access trojans targeting Windows, macOS, and Linux Both poisoned versions were published within 39 minutes on March 31, 2026, bypassing GitHub Actions CI/CD verification through compromised