OpenAI Revokes macOS App Certificate After Axios Supply-Chain Compromise

OpenAI has publicly disclosed a supply‑chain incident that affected the signing workflow for its macOS applications and, out of caution, is revoking and rotating the certificate used to notarize those apps. The company’s investigation found that a GitHub Actions workflow used in the macOS signing process pulled a compromised release of the widely used npm library Axios (version 1.14.1). Although OpenAI reports no evidence of user-data exfiltration or system compromise, the organization is treating the certificate as potentially compromised and taking steps to protect users and infrastructure. This post unpacks what happened, why it matters, what was affected, and practical steps both users and developers should take now.

What happened and how it was discovered

OpenAI identified that one of its GitHub Actions jobs downloaded and executed a poisoned Axios package that had been tampered with as part of a broader supply‑chain operation. Google Threat Intelligence Group (GTIG) and other investigators attributed the malicious npm releases to a North Korea–linked actor tracked as UNC1069. The compromised Axios versions (including 1.14.1) contained a dependency called plain-crypto-js that delivered a cross‑platform backdoor tracked as WAVESHAPER.V2, capable of infecting Windows, macOS, and Linux hosts.

OpenAI’s signing workflow had access to a certificate and notarization material used to sign several desktop products. The company’s analysis concluded the malicious payload likely did not successfully exfiltrate the signing certificate — due to timing, the sequence of job steps, and other mitigations — but because the possibility could not be ruled out, OpenAI revoked the certificate and rotated to a new one.

Immediate impact on users and affected apps

To minimize risk and prevent new software signed with the old certificate from being notarized or distributed, OpenAI stopped new notarizations using the old certificate and will block older app builds by default through macOS protections after a transition window. Users running older versions of OpenAI’s macOS apps must update before the cutoff to avoid app launch or download failures.

Earliest releases signed with the updated certificate:

• ChatGPT Desktop — 1.2026.071
• Codex App — 26.406.40811
• Codex CLI — 0.119.0
• Atlas — 1.2026.84.2

Older versions will stop receiving updates or support starting May 8, 2026, and macOS security protections will block apps signed with the previous certificate unless a user explicitly bypasses those protections.

The broader context: two major March supply‑chain incidents

The Axios compromise was one of two high‑profile supply‑chain incidents in March. The other targeted Trivy, a widely used vulnerability scanner maintained by Aqua Security. The Trivy compromise allowed attackers to extract credentials and plant a credential stealer (SANDCLOCK) that led to subsequent injection of malware into CI/CD workflows and packages across ecosystems. That campaign produced a wave of downstream compromises, including malicious versions pushed to package repositories and infections that used advanced persistence and obfuscation techniques.

Security vendors and government agencies have linked these incidents to multiple threat clusters and documented how stolen secrets were weaponized to escalate into broader cloud and software compromises. CISA added the Axios/Trivy exploitation (CVE-2026-33634) to its Known Exploited Vulnerabilities catalog and issued mitigation guidance.

Why signing workflows and CI/CD runners are high value

Security tools and CI/CD workflows often run with elevated privileges and access keys, and they are trusted implicitly to build, sign, and publish software. Compromising those workflows yields outsized value to attackers because it allows them to inject malicious code into widely distributed artifacts that appear legitimate to end users. The incidents underline the core supply‑chain challenge: implicit trust versus enforced verification.

What organizations and developers should do now

Short term (for end users)

• Update OpenAI macOS apps to the versions signed with the new certificate before May 8, 2026.
• Do not bypass macOS security prompts to run older app versions unless you fully understand the risk.
• Monitor official channels (OpenAI release notes, app stores) for updates and remediation guidance.

Short to medium term (for developers and security teams)

• Rotate and revoke sensitive signing credentials immediately after any suspicion of compromise; assume compromise until proven otherwise.
• Remove long‑lived credentials from workflows. Use short‑lived, narrowly scoped tokens and ephemeral credentials.
• Treat every CI runner as a potential breach point: run jobs in sandboxed, least‑privileged environments and avoid shared runners with broad access.
• Avoid pull_request_target triggers that expose secrets to untrusted code. Use pull_request workflows that build in isolation.
• Pin dependencies by digest or commit SHA instead of mutable tags. Delay adoption of brand‑new releases using minimum release age policies.
• Use internal mirrors or artifact proxies to control dependency provenance.
• Enforce multi‑factor authentication (2FA) and verified publishing on package registries like npm and PyPI.
• Deploy monitoring (canary tokens, artifact integrity checks) to detect suspicious activity early.
• Audit repositories and CI pipelines for hard‑coded secrets and rotate any exposed keys.
• Consider reproducible builds and signed, verifiable artifacts so downstream consumers can validate provenance.

Lessons learned and strategic takeaways

Assume your build environment is a high‑value target. Security controls should be layered around CI/CD, not only around production systems.

Trust should be replaced with verification wherever possible: verify dependencies, verify artifacts, and verify the integrity of build inputs.

Rapid incident response and transparency — as in OpenAI’s handling — help limit downstream exposure and give users time to update.

Supply‑chain attacks are evolving quickly; organizations must invest in supply‑chain hygiene, automation for secret rotation, and continuous verification.

Closing

OpenAI’s revocation of its macOS signing certificate is a prudent, defensive move prompted by a sophisticated supply‑chain compromise of a popular dependency. While there is no public evidence that user data was accessed or that OpenAI’s systems were breached, the incident highlights persistent risks in modern software delivery and the necessity for developers and security teams to harden CI/CD, lock down credentials, and verify every link in the supply chain. For users, the immediate action is simple: update affected OpenAI macOS apps to the newly signed releases before May 8, 2026, and avoid bypassing platform security prompts.