OpenAI Discloses Compromise in macOS App Signing Workflow
OpenAI has issued a statement regarding a significant security incident that occurred on March 31, revealing that a GitHub Actions workflow tied to the signing of its macOS applications inadvertently downloaded a malicious Axios library. Fortunately, the company has confirmed that this breach did not affect user data or compromise internal systems.
In a recent blog post, OpenAI stated, “Out of an abundance of caution, we are taking steps to protect the certification process that ensures our macOS applications are legitimate OpenAI products.” The company emphasized that there is no evidence suggesting that any user data was accessed or that its systems, intellectual property, or software integrity were compromised.
This revelation comes in the wake of the Google Threat Intelligence Group’s attribution of the Axios supply chain compromise to a North Korean hacker group known as UNC1069. The incident involved threat actors seizing control of the package maintainer’s npm account, allowing them to push two malicious versions—1.14.1 and 0.30.4—embedded with a harmful dependency called “plain-crypto-js” that deployed a backdoor named WAVESHAPER.V2, capable of infecting Windows, macOS, and Linux systems.
OpenAI indicated that the workflow used for signing applications accessed Axios version 1.14.1 during the incident. This workflow had permissions to access sensitive signing certificates and notarization materials used for applications such as ChatGPT Desktop and Codex. In response, OpenAI believed the signing certificate was unlikely to have been exfiltrated due to mitigating factors related to the timing and sequencing of the payload execution.
Despite the absence of data exfiltration, OpenAI is treating the certificate as compromised and plans to revoke and replace it. This proactive measure means that older versions of all macOS desktop applications, effective May 8, 2026, will receive no further updates or support. Applications signed with the older certificate will be blocked by macOS security protocols to prevent unauthorized access.
To prevent potential misuse, OpenAI is collaborating with Apple to ensure that software signed with the compromised certificate cannot be newly notarized. The company has allowed a 30-day window to enable users to transition to the latest versions of its applications.
This incident is part of a worrying trend in supply chain attacks, highlighted by the Axios breach. It is one of two major incidents in March that targeted the open-source ecosystem, with a separate attack on the Trivy vulnerability scanner leading to widespread implications across multiple software libraries.
Threat actors have increasingly demonstrated evolving tactics, suggesting a shift to sophisticated methods that leverage compromised security tools for broader access. The implications of these incidents extend beyond specific companies, emphasizing the need for vigilance and robust security practices across all sectors.
Understanding potential adversary tactics within the MITRE ATT&CK framework is vital. Initial access strategies likely involved credential theft and exploitation of third-party software vulnerabilities. Furthermore, threats associated with persistence and privilege escalation may have enabled attackers to manipulate legitimate workflows, highlighting the intrinsic vulnerabilities that organizations face when relying on open-source dependencies.
In a landscape increasingly fraught with security challenges, businesses must remain vigilant and proactive in their cybersecurity strategies to mitigate the risk of supply chain attacks and protect their applications and data.