Full Report
OpenAI revealed a GitHub Actions workflow used to sign its macOS apps, which downloaded the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found
Analysis Summary
# Incident Report: OpenAI macOS App Certificate Revocation (Axios Supply Chain Attack)
## Executive Summary
OpenAI identified a security incident where a GitHub Actions workflow used to sign macOS applications downloaded a compromised version of the popular `axios` npm library. The malicious package, attributed to North Korean threat group UNC1069, was designed to deploy backdoors and exfiltrate secrets. While OpenAI found no evidence of data exfiltration or system compromise, the company has revoked and rotated its macOS code-signing certificates out of an abundance of caution.
## Incident Details
- **Discovery Date:** April 2026 (Following attribution by Google Threat Intelligence Group)
- **Incident Date:** March 31, 2026
- **Affected Organization:** OpenAI
- **Sector:** Artificial Intelligence / Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 31, 2026
- **Vector:** Supply Chain Compromise (Upstream Dependency)
- **Details:** Threat actor UNC1069 hijacked the `axios` maintainer's account and published poisoned versions (1.14.1 and 0.30.4). OpenAI's GitHub Actions workflow automatically downloaded version 1.14.1 during a build process.
### Lateral Movement
- **Details:** The malicious payload, `plain-crypto-js`, attempted to deploy a cross-platform backdoor called WAVESHAPER.V2. However, OpenAI internal analysis suggests the attack did not progress to lateral movement within their internal network.
### Data Exfiltration/Impact
- **Details:** No evidence of data exfiltration was found. Specifically, the macOS signing certificate and notarization materials were likely not successfully exfiltrated due to the specific sequencing of the CI/CD job and payload execution timing.
### Detection & Response
- **Detection:** Initial awareness followed a broader disclosure by Google Threat Intelligence Group (GTIG) regarding the Axios/UNC1069 campaign.
- **Response Actions:** Internal forensic analysis of build logs, rotation of all build secrets, revocation of compromised macOS certificates, and coordination with Apple for notarization blocks.
## Attack Methodology
- **Initial Access:** Supply chain attack via hijacked npm package `axios`.
- **Persistence:** Implementation of WAVESHAPER.V2 backdoor (cross-platform).
- **Privilege Escalation:** Not applicable (thwarted at CI/CD level).
- **Defense Evasion:** Use of a legitimate-looking dependency name (`plain-crypto-js`) to mask malicious activity.
- **Credential Access:** Targeting of GitHub Actions secrets, specifically code-signing certificates and notarization credentials.
- **Discovery:** N/A.
- **Lateral Movement:** N/A.
- **Collection:** N/A.
- **Exfiltration:** Attempted exfiltration of signing material.
- **Impact:** Potential for unauthorized third parties to sign malicious code as "OpenAI," though no software alteration was detected.
## Impact Assessment
- **Financial:** Non-disclosed costs related to incident response and re-issuance of software.
- **Data Breach:** None (No user data or IP compromised).
- **Operational:** Disruption for users of legacy macOS apps; forced updates required for all macOS users by May 8, 2026.
- **Reputational:** Minor impact; mitigated by transparent disclosure and the fact that it was part of a wider industry-scale supply chain attack.
## Indicators of Compromise
- **File indicators:**
- `axios` versions 1.14.1 and 0.30.4
- `plain-crypto-js` (malicious dependency)
- WAVESHAPER.V2 (malware family)
- **Behavioral indicators:** Unexpected network requests from CI/CD runners to unknown external endpoints during the build phase.
## Response Actions
- **Containment:** Stopped all new software notarizations using the legacy certificate.
- **Eradication:** Versions of apps signed with the old certificate will be blocked by macOS Gatekeeper after May 8, 2026.
- **Recovery:** Released updated versions of ChatGPT Desktop (v1.2026.071+), Codex, and Atlas signed with new, secure certificates.
## Lessons Learned
- **Dependency Lag:** Automated CI/CD pipelines that pull the "latest" version of dependencies are highly susceptible to immediate supply chain poisoning.
- **Build Isolation:** The sequencing of secrets injection in CI/CD jobs can act as a natural mitigator if the malicious payload executes before the secrets are exposed to the environment.
## Recommendations
- **Dependency Pinning:** Hardware-lock or "pin" specific versions of external libraries in `package-lock.json` and use a private registry/proxy to vet updates.
- **Software Bill of Materials (SBOM):** Maintain and scan SBOMs for all production releases to identify compromised components retroactively.
- **Ephemeral Runners:** Ensure CI/CD runners are isolated and wiped immediately after a build to prevent persistent backdoors in the build environment.