OpenAI Revokes macOS Code Signing Certificate After North Korea-Linked Axios Supply Chain Attack

Introduction

OpenAI has disclosed that its macOS app-signing process was affected by the North Korea-linked Axios npm supply chain attack that hit in late March. A GitHub Actions workflow used during code signing downloaded and executed the malicious Axios version 1.14.1, which had access to the certificate used to sign ChatGPT Desktop, Codex, and other OpenAI macOS apps. As a precaution, OpenAI is revoking and rotating the certificate, with full revocation taking effect on May 8.

What Happened

In late March 2026, North Korean threat actors tracked as UNC1069 compromised the npm account of a lead Axios maintainer through targeted social engineering and published malicious packages (version 1.14.1) that contained a cross-platform remote access trojan. The poisoned packages were live for only a few hours before detection, but the blast radius was significant.

OpenAI's investigation revealed that one of its GitHub Actions workflows — used to sign macOS applications — downloaded and executed the malicious Axios version during the compromise window. That workflow had access to the code signing certificate and notarization material used for ChatGPT Desktop, Codex, Codex-cli, and Atlas. While OpenAI believes based on timing and other factors that the certificate was not actually exfiltrated, they are treating it as potentially compromised.

OpenAI has stopped issuing new software signatures with the old certificate. After full revocation on May 8, any software signed with the compromised certificate will be blocked by macOS security protections. The company stressed that no user data or internal systems were compromised.

Broader industry impact numbers are sobering: security firm Huntress found evidence of compromise on 135 machines, and Wiz observed the malicious Axios version executed in 3% of affected cloud environments. Axios has over 100 million weekly npm downloads, making this one of the most consequential npm supply chain attacks to date.

Why It Matters

This incident demonstrates how supply chain attacks cascade. A single compromised npm package flowed through automated CI/CD pipelines and reached into the code signing infrastructure of one of the world's most prominent AI companies. If the certificate had been fully exfiltrated, an attacker could have signed malware that macOS would trust as legitimate OpenAI software — a nightmare scenario for the millions of users running ChatGPT Desktop. For any organization running automated build and signing pipelines, this is a wake-up call: your CI/CD dependencies are part of your trust chain, and a poisoned library can reach the most sensitive parts of your infrastructure.

Who Is Affected

  • Users of OpenAI macOS apps (ChatGPT Desktop, Codex, Codex-cli, Atlas) signed with the old certificate
  • Any organization whose CI/CD pipelines pulled Axios 1.14.1 during the compromise window (late March 2026)
  • Developers and teams using Axios as a dependency without lockfile pinning or integrity verification
  • macOS users who may encounter certificate warnings after May 8 when the old certificate is fully revoked

How to Protect Yourself

1. Update OpenAI macOS apps

Download the latest versions of ChatGPT Desktop and other OpenAI apps, which are signed with the new certificate:

brew update && brew upgrade --cask chatgpt

Or download directly from OpenAI's website.

2. Check if your projects consumed the malicious Axios version

# Check package-lock.json or yarn.lock for Axios 1.14.1
grep -r "axios.*1.14.1" package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null

# Check node_modules directly
cat node_modules/axios/package.json | grep version

If version 1.14.1 was ever installed, treat the build environment as compromised.

3. Pin dependencies and enforce integrity checks

# Use npm ci (respects lockfile strictly)
npm ci

# Enable package-lock integrity verification
npm config set package-lock true
npm config set save-exact true

4. Audit your CI/CD pipeline dependencies

Review what your GitHub Actions workflows, GitLab CI, or Jenkins pipelines install at build time. Ensure signing workflows have minimal, pinned dependencies:

# Example: pin Axios to a known-good version in package.json
"dependencies": {
  "axios": "1.14.0"
}

Never allow floating version ranges (^ or ~) in workflows that access signing certificates or secrets.

5. Isolate code signing from general build steps

Code signing should run in a separate, hardened environment with no access to the public npm registry. Use a vetted internal mirror or pre-audited dependency cache instead.

6. Rotate credentials if your pipeline was affected

If your CI/CD environment executed Axios 1.14.1, rotate:

  • Code signing certificates and keys
  • CI/CD secrets and tokens (GitHub Actions secrets, GitLab CI variables)
  • npm tokens and registry credentials
  • Any API keys or cloud credentials accessible from the build environment

Source

OpenAI Impacted by North Korea-Linked Axios Supply Chain Hack — SecurityWeek