OpenAI is rotating doubtlessly uncovered macOS code-signing certificate after a GitHub Movements workflow completed a malicious Axios bundle all over a up to date provide chain assault.
The corporate stated that on March 31, 2026, the official workflow downloaded and completed a compromised Axios bundle (model 1.14.1) that was once utilized in assaults to deploy malware on units.
That workflow had get right of entry to to code-signing certificate used to signal OpenAI’s macOS apps, together with ChatGPT Desktop, Codex, Codex CLI, and Atlas.
Whilst OpenAI says its investigation discovered no proof that the signing certificates was once compromised, the corporate is treating it as doubtlessly compromised out of warning and is now revoking and rotating it.
“Out of an abundance of warning we’re taking steps to give protection to the method that certifies our macOS packages are official OpenAI apps. We discovered no proof that OpenAI person knowledge was once accessed, that our methods or highbrow assets was once compromised, or that our tool was once altered,” explains an OpenAI safety advisory.
“We’re updating our safety certificate, which would require all macOS customers to replace their OpenAI apps to the newest variations.”
macOS customers will wish to replace their apps to variations signed with the brand new certificates, as older variations might forestall running on Would possibly 8, 2026.
OpenAI labored with a third-party incident reaction company to habits an investigation, which discovered no proof that the incident uncovered its certificate or that they have been used to distribute malicious tool. The corporate additionally analyzed earlier notarization process connected to the certificates and showed that the whole thing signed with it was once official.
Alternatively, if the attacker acquired the certificates, they might use it to signal their very own macOS packages that seem to be legitimately signed through OpenAI.
Due to this fact, to scale back the chance, OpenAI says it’s running with Apple to make sure no long term tool may also be notarized with the former certificates.
OpenAI says that the certificates will probably be absolutely revoked on Would possibly 8, and then makes an attempt to release packages signed with it is going to be blocked through macOS protections.
OpenAI says the problem is proscribed to its macOS packages and does no longer impact its internet products and services or apps on iOS, Android, Home windows, or Linux. It additionally says person accounts, passwords, and API keys weren’t impacted.
Customers are prompt to replace by the use of in-app options or the reliable obtain pages, and to keep away from putting in tool from hyperlinks despatched by the use of electronic mail, commercials, or third-party websites.
The corporate says it is going to proceed tracking for any indicators that the previous certificates is being misused and might accelerate the revocation timeline if anything else suspicious is detected.
The Axios provide chain assault has been connected to North Korean risk actors tracked as UNC1069, who performed a social engineering marketing campaign in opposition to probably the most mission’s maintainers.
After engaging in a pretend internet convention name that resulted in the set up of malware, the risk actors received get right of entry to to the maintainer’s account and printed malicious variations of the Axios bundle to npm.
This malicious bundle integrated a dependency that put in a faraway get right of entry to trojan (RAT) on macOS, Home windows, and Linux methods.
Consistent with researchers, the attackers approached builders thru convincing faux collaboration setups, together with Slack workspaces and Microsoft Groups calls, ultimately tricking them into putting in malware that resulted in credential robbery and downstream provide chain compromises.
The process has been connected to a bigger marketing campaign to compromise standard open-source tasks for in style provide chain assaults.
Computerized pentesting proves the trail exists. BAS proves whether or not your controls forestall it. Maximum groups run one with out the opposite.
This whitepaper maps six validation surfaces, presentations the place protection ends, and offers practitioners with 3 diagnostic questions for any software analysis.
