Key Findings

• OpenAI's GitHub Actions workflow downloaded malicious Axios version 1.14.1 on March 31, compromising access to macOS app signing certificates

• North Korean hacking group UNC1069 hijacked the Axios package maintainer account and injected WAVESHAPER.V2 backdoor into versions 1.14.1 and 0.30.4

• OpenAI found no evidence of user data theft, system compromise, or software alteration despite certificate access

• All macOS versions of ChatGPT Desktop, Codex, Codex CLI, and Atlas signed with the old certificate will be blocked starting May 8, 2026

• Users must update to newly signed versions by the deadline or lose app functionality

Background

The Axios compromise was part of a broader March attack wave targeting the open-source ecosystem. Axios is an HTTP client library downloaded roughly 100 million times weekly and used across approximately 80% of cloud environments. UNC1069 successfully bypassed npm and GitHub security checks to publish the poisoned versions. The malicious payload deployed within just 89 seconds of publication and remained active for only three hours before detection.

How OpenAI Was Affected

OpenAI's macOS app-signing workflow automatically downloaded and executed the compromised Axios 1.14.1 during the attack window. Because this build pipeline had access to code-signing certificates and notarization materials used for multiple applications, the certificates were immediately treated as potentially compromised. The workflow could access signing credentials for ChatGPT Desktop, Codex, Codex CLI, and Atlas.

Why No Data Was Stolen

OpenAI's analysis determined the malicious payload likely failed to exfiltrate the signing certificate due to several mitigating factors including timing of payload execution, when the certificate was injected into the job, and the job sequencing itself. The narrow three-hour window between deployment and detection also limited the attacker's opportunity to act.

Certificate Revocation and User Impact

Out of abundance of caution, OpenAI is revoking the potentially compromised certificate and rotating to a new one. Starting May 8, 2026, macOS security protections will block any apps signed with the old certificate by default, preventing download or launch. The 30-day transition window gives users time to update to versions signed with the new certificate. OpenAI is also working with Apple to prevent any new software notarizations using the old certificate, blocking unauthorized third-party code from appearing legitimate.

Updated Version Requirements

Users must update to these versions or newer to maintain functionality:

• ChatGPT Desktop: 1.2026.071

• Codex App: 26.406.40811

• Codex CLI: 0.119.0

• Atlas: 1.2026.84.2

Broader Attack Context

The Axios incident was one of two major supply chain attacks in March. A separate attack by TeamPCP targeted Trivy, a vulnerability scanner, deploying credential stealer SANDCLOCK and self-propagating worm CanisterWorm. The group then weaponized stolen credentials to compromise npm packages and inject malware into GitHub Actions workflows maintained by Checkmarx, ultimately compromising Python packages LiteLLM and Telnyx.

Sources

• https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html

• https://hackread.com/openai-macos-certificates-axios-supply-chain-breach/

• https://socket.dev/blog/axios-supply-chain-attack-reaches-openai-macos-signing-pipeline-forces-certificate-rotation

• https://www.msn.com/en-us/news/insight/openai-urges-macos-app-updates-after-axios-tool-compromise/gm-GMD6320F81?gemSnapshotKey=GMD6320F81-snapshot-1

• https://www.reddit.com/r/SecOpsDaily/comments/1si8nus/axios_supply_chain_attack_reaches_openai_macos/