{"id":573,"date":"2026-04-13T08:06:06","date_gmt":"2026-04-13T08:06:06","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=573"},"modified":"2026-04-13T08:06:06","modified_gmt":"2026-04-13T08:06:06","slug":"openai-revokes-macos-app-certificate-after-malicious-axios-supply-chain-incident","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=573","title":{"rendered":"OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjE5gb0KURzHAgdXMKzxbNFW1AJ8G2ezWXrHrLReEmbX6BKaG3-tIjiDVcjk-4nIZ3Kg2_564qiWXVVGcERIi4vaUvjqG-BuENXb7i6P3M2rdOHz-S9DOcKIHZ-pa1odUyUdTI-lLify_9CRXYcZu3hyY2LXeTMp1wMRr7mnu7yQdIIjGrFXCAecG4-XVpS\/s1700-e365\/openai.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>OpenAI\u00a0revealed a GitHub Actions workflow used to sign its macOS apps, which downloaded the malicious Axios library on March 31, but noted that no user data or\u00a0internal system\u00a0was compromised.<\/p>\n<p>\u00abOut of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps,\u00bb\u00a0OpenAI <a href=\"https:\/\/openai.com\/index\/axios-developer-tool-compromise\/\">said<\/a> in a post last week. \u00abWe found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was\u00a0altered.\u00bb<\/p>\n<p>The\u00a0disclosure comes a little over a week after Google Threat Intelligence Group (GTIG) attributed\u00a0the supply chain compromise of the popular npm package to a North Korean hacking group it tracks\u00a0as UNC1069.<\/p>\n<p>The\u00a0attack enabled the threat actors to hijack the package maintainer&#8217;s npm account to push two poisoned versions 1.14.1\u00a0and\u00a00.30.4\u00a0that came embedded with a malicious dependency named \u00abplain-crypto-js,\u00bb which deployed a cross-platform backdoor called WAVESHAPER.V2\u00a0to infect Windows, macOS, and Linux\u00a0systems.<\/p>\n<p>The\u00a0artificial intelligence (AI) company said a GitHub Actions workflow it uses as part of its macOS app-signing process downloaded and executed Axios version 1.14.1. The\u00a0workflow, it added, had access to a certificate and notarization material used for signing ChatGPT Desktop, Codex, Codex CLI, and\u00a0Atlas.<\/p>\n<p>\u00abOur analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors,\u00bb the company\u00a0said.<\/p>\n<p>Despite finding no evidence of data exfiltration, OpenAI said it&#8217;s treating the certificate as compromised and that it&#8217;s revoking and rotating it. As\u00a0a result, older versions of all its macOS desktop apps will no longer receive updates or support starting May 8,\u00a02026.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>This\u00a0also means that apps signed with the previous certificate will be blocked by macOS security protections by default, preventing them from being downloaded or launched. The\u00a0earliest releases signed with their updated certificate are listed below\u00a0&#8211;<\/p>\n<ul>\n<li>ChatGPT Desktop &#8211; 1.2026.071<\/li>\n<li>Codex App &#8211; 26.406.40811<\/li>\n<li>Codex CLI &#8211; 0.119.0<\/li>\n<li>Atlas &#8211; 1.2026.84.2<\/li>\n<\/ul>\n<p>As\u00a0part of its remediation efforts, OpenAI is also working with Apple to ensure software signed with the previous certificate cannot be newly notarized. The\u00a030-day window till May 8, 2026, is a way to minimize user disruption and give them enough time to make sure they are updated to the latest version, it pointed\u00a0out.\u00a0<\/p>\n<p>\u00abIn the event\u00a0that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software,\u00bb OpenAI said. \u00abWe have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third-party would be blocked by default by macOS security protections unless a user explicitly bypasses\u00a0them.\u00bb<\/p>\n<p><a name=\"more\"\/><\/p>\n<h3>Two Supply Chain Attacks Rock\u00a0March<\/h3>\n<p>The\u00a0breach of Axios, one of the most widely used HTTP client libraries, was one of the two major supply chain attacks that took place in March aimed at the open-source ecosystem.\u00a0The <a href=\"https:\/\/ramimac.me\/teampcp\/\">other\u00a0incident<\/a>\u00a0targeted <a href=\"https:\/\/www.aquasec.com\/blog\/trivy-supply-chain-attack-what-you-need-to-know\/\">Trivy<\/a>, a vulnerability scanner maintained by Aqua Security, resulting\u00a0in <a href=\"https:\/\/snyk.io\/articles\/trivy-github-actions-supply-chain-compromise\/\">cascading\u00a0impacts<\/a> across five ecosystems, affecting a number of other popular libraries depending on\u00a0it.<\/p>\n<p>The\u00a0attack, the work of a cybercriminal group\u00a0called TeamPCP (aka UNC6780), deployed a credential stealer dubbed SANDCLOCK that facilitated the extraction of sensitive data from developer environments. Subsequently, the threat actors weaponized the stolen credentials to compromise npm packages and push a self-propagating worm\u00a0named <a href=\"https:\/\/www.stepsecurity.io\/blog\/canisterworm-how-a-self-propagating-npm-worm-is-spreading-backdoors-across-the-ecosystem\">CanisterWorm<\/a>.<\/p>\n<p>Days\u00a0later, the crew used secrets pilfered from the Trivy intrusion to inject the same malware into two GitHub Actions workflows maintained by Checkmarx. The\u00a0threat actors then followed it up by publishing malicious versions\u00a0of <a href=\"https:\/\/docs.litellm.ai\/blog\/security-update-march-2026\">LiteLLM<\/a>\u00a0and <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/telnyx-pypi-2026-teampcp-supply-chain-attacks\">Telnyx<\/a> to the Python Package Index (PyPI), both of which use Trivy in their CI\/CD\u00a0pipeline.<\/p>\n<p>\u00abThe Telnyx compromise indicates a continued change in the techniques used in TeamPCP&#8217;s supply chain activity, with adjustments to tooling, delivery methods, and platform coverage,\u00bb Trend\u00a0Micro <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\">said<\/a> in\u00a0an <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/your-ai-stack-just-handed-over-your-root-keys-inside-the-litellm-pypi-breach.html\">analysis of the\u00a0attack<\/a>.<\/p>\n<p>\u00abIn just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling, evolving their delivery from inline Base64 to .pth\u00a0auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence.\u00bb<\/p>\n<p>On\u00a0<a href=\"https:\/\/www.ox.security\/blog\/teampcps-telnyx-windows-malware-technical-analysis\/\">Windows\u00a0systems<\/a>, the hack of\u00a0the <a href=\"https:\/\/x.com\/TheEnergyStory\/status\/2038238773721325996\">Telnyx Python\u00a0SDK<\/a> resulted in the deployment of an executable named \u00abmsbuild.exe\u00bb that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and\u00a0a <a href=\"https:\/\/www.threatlocker.com\/blog\/supply-chain-attack-security-scanner-compromise-leads-to-widespread-infostealer-and-ransomware-pivot\">beacon<\/a> associated\u00a0with AdaptixC2, an open-source command-and-control (C2) framework.<\/p>\n<p>Additional analyses of the campaign, now identified as CVE-2026-33634, have been published by various cybersecurity vendors\u00a0&#8211;<\/p>\n<p>TeamPCP&#8217;s supply chain compromise rampage may have come to an end, but the group has since shifted its focus towards monetizing existing credential harvests by teaming up with other financially motivated groups like Vect, LAPSUS$, and ShinyHunters. Evidence indicates that the threat actor has also launched a proprietary ransomware operation under the name CipherForce.<\/p>\n<p>These\u00a0efforts have been complemented by TeamPCP&#8217;s use of the stolen data to access cloud and software-as-a-service (SaaS) environments, marking\u00a0a new-found escalation of the campaign. To\u00a0that end, the cybercrime gang has been found to verify stolen credentials using TruffleHog, launch discovery operations within 24 hours of validation, exfiltrate more data, and attempt lateral movement to gain access to the broader\u00a0network.<\/p>\n<p>\u00abThe credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data,\u00bb Wiz researchers <a href=\"https:\/\/www.wiz.io\/blog\/tracking-teampcp-investigating-post-compromise-attacks-seen-in-the-wild\">said<\/a>. \u00abWhile the speed at which they were used suggests that it was the work of the same threat actors responsible for the supply chain operations, we are not able to rule out the secrets being shared with other groups and used by\u00a0them.\u00bb<\/p>\n<h3>Attacks Ripple Through Dependencies<\/h3>\n<p>Google\u00a0has <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/north-korea-threat-actor-targets-axios-npm-package\">warned<\/a> that \u00abhundreds of thousands of stolen secrets\u00bb could potentially be circulating as a result of the Axios and Trivy attacks, fueling more software supply chain attacks, SaaS environment compromises, ransomware and extortion events, and cryptocurrency theft over the near\u00a0term.<\/p>\n<p>Two organizations that have confirmed compromise through the Trivy supply chain attack are artificial intelligence (AI) data training\u00a0startup <a href=\"https:\/\/x.com\/mercor_ai\/status\/2039101905675403306\">Mercor<\/a> and\u00a0the <a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_26_748\">European Commission<\/a>. While\u00a0the company has not shared details on the impact, the LAPSUS$ extortion group listed Mercor on its leak site, claiming to have exfiltrated about 4TB of data. The\u00a0Mercor breach has led Meta to pause its work with the company, according to\u00a0a <a href=\"https:\/\/www.wired.com\/story\/meta-pauses-work-with-mercor-after-data-breach-puts-ai-industry-secrets-at-risk\/\">report<\/a> from\u00a0WIRED.<\/p>\n<p>Earlier this month,\u00a0CERT-EU <a href=\"https:\/\/cert.europa.eu\/blog\/european-commission-cloud-breach-trivy-supply-chain\">revealed<\/a> that the threat actors used the stolen AWS secret to exfiltrate data from the Commission&#8217;s cloud environment. This\u00a0included data relating to websites hosted for up to 71 clients of the Europa web hosting service and outbound email communications. The\u00a0ShinyHunters group has since released the exfiltrated dataset publicly on its dark web leak\u00a0site.<\/p>\n<p>GitGuardian&#8217;s <a href=\"https:\/\/blog.gitguardian.com\/team-pcp-snowball-analysis\/\">analysis<\/a> of the Trivy and LiteLLM supply chain attacks and their spread through dependencies and automation pipelines has found that 474 public repositories executed malicious code from the compromised \u00abtrivy-action\u00bb workflow, and 1,750 Python packages were configured in a way that would automatically pull the poisoned\u00a0versions.<\/p>\n<p>\u00abTeamPCP is deliberately targeting security tools that run with elevated privileges by design. Compromising them gives the attacker access to some of the most sensitive environments in the organization, because security tools are typically granted broad access by design,\u00bb Brett Leatherman, assistant director of Cyber Division at the U.S. Federal Bureau of Investigation\u00a0(FBI), <a href=\"https:\/\/www.linkedin.com\/posts\/bleatherman_fbicyber-share-7442369430245826560-IA9x\/?rcm=ACoAAA98Bu8BVZIE7tjrbfEgLetF8Wf_4bWQNHc&amp;skipRedirect=true\">wrote<\/a> on\u00a0LinkedIn.<\/p>\n<p>The supply chain incidents are dangerous because they take aim at the inherent trust developers assume when downloading packages and dependencies from open-source repositories. \u00abTrust was assumed where it should have been verified,\u00bb Mark Lechner, chief information security officer at\u00a0Docker, <a href=\"https:\/\/www.docker.com\/blog\/defending-your-software-supply-chain-what-every-engineering-team-should-do-now\/\">said<\/a>.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThe organizations that came through these incidents with minimal damage had already begun replacing implicit trust with explicit verification at every layer of their stack: verified base images instead of community pulls, pinned references instead of mutable tags, scoped and short-lived credentials instead of long-lived tokens, and sandboxed execution environments instead of wide-open CI\u00a0runners.\u00bb<\/p>\n<p>Both Docker and the Python Package Index (PyPI) maintainers\u00a0have <a href=\"https:\/\/blog.pypi.org\/posts\/2026-04-02-incident-report-litellm-telnyx-supply-chain-attack\/\">outlined<\/a> a long list of recommendations that developers can implement to counter such attacks\u00a0&#8211;<\/p>\n<ul>\n<li>Pin packages by digest or commit SHA instead of mutable tags.<\/li>\n<li>Use Docker Hardened Images (DHI).<\/li>\n<li>Enforce minimum release age settings to delay adoption of new versions for dependency updates.<\/li>\n<li>Treat every CI runner as a potential breach point and avoid pull_request_targe triggers in GitHub Actions unless absolutely necessary.<\/li>\n<li>Use short-lived, narrowly scoped credentials.<\/li>\n<li>Use an internal mirror or artifact proxy.<\/li>\n<li>Deploy canary tokens to get alerted to potential exfiltration attempts.<\/li>\n<li>Audit environment for hard-coded secrets.<\/li>\n<li>Run AI coding agents in sandboxed environments.<\/li>\n<li>Use trusted publishing to push packages to <a href=\"https:\/\/docs.npmjs.com\/trusted-publishers\">npm<\/a> and <a href=\"https:\/\/docs.pypi.org\/trusted-publishers\/\">PyPI<\/a>.<\/li>\n<li>Secure the open-source development pipeline with two-factor authentication (2FA).<\/li>\n<\/ul>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has\u00a0also <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/03\/26\/cisa-adds-one-known-exploited-vulnerability-catalog\">added<\/a> CVE-2026-33634 to its Known Exploited Vulnerabilities\u00a0(<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\">KEV<\/a>) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by April 9,\u00a02026.<\/p>\n<p>\u00abThe number of recent software supply chain attacks is overwhelming,\u00bb Charles Carmakal, chief technology officer of Mandiant Consulting at\u00a0Google, <a href=\"https:\/\/www.linkedin.com\/posts\/charlescarmakal_cybersecurity-threatintel-supplychain-activity-7444746390288789504-rHpT\/?rcm=ACoAAAAHXmsBeL1ZrOKRT8g9rCLjiQfqDSJUjk4\">said<\/a>. \u00abDefenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future\u00a0attacks.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OpenAI\u00a0revealed a GitHub Actions workflow used to sign its macOS apps, which downloaded the malicious Axios library on March 31, but noted that no user data or\u00a0internal system\u00a0was compromised. \u00abOut&hellip;<\/p>\n","protected":false},"author":1,"featured_media":574,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[790,980,1184,219,1185,421,33,512,1183,218],"class_list":["post-573","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-app","tag-axios","tag-certificate","tag-chain","tag-incident","tag-macos","tag-malicious","tag-openai","tag-revokes","tag-supply"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=573"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/573\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/574"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}