TL;DR — 15 Second Read
- →OpenAI has confirmed its macOS app-signing GitHub Actions workflow downloaded the North Korea-backdoored Axios npm package version 1.14.1 on March 31, exposing the signing certificate used to authenticate ChatGPT Desktop, Codex, Codex CLI, and Atlas as trusted OpenAI software.
- →OpenAI found no evidence that the certificate was successfully stolen or that user data was compromised, but is treating the certificate as compromised and revoking it entirely — a standard and correct incident response posture when certificate exposure cannot be ruled out with certainty.
- →All macOS users of OpenAI apps must update to the new certificate-signed versions before May 8, 2026. After that date, older app versions will be blocked by macOS security protections and will stop launching — this is not optional.
- →This incident is part of a sweeping software supply chain attack wave in March 2026 that also compromised Trivy, LiteLLM, Telnyx, and two Checkmarx GitHub Actions workflows — with Google warning that hundreds of thousands of stolen secrets from these attacks are now potentially circulating in the wild.
OpenAI has revoked the signing certificate used to authenticate its macOS desktop applications after a GitHub Actions workflow in its signing pipeline downloaded a North Korea-backdoored version of the Axios npm package. The incident, which occurred on March 31, touched the certificate and notarization material used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas — four of OpenAI's most widely used macOS tools. Every macOS user of these applications must update to new certificate-signed versions before May 8, 2026, or their apps will stop working.
This is one of the highest-profile downstream casualties of a March 2026 software supply chain attack wave that has sent shockwaves through the cybersecurity, information security, and digital security communities globally. The Axios npm package — downloaded over 183 million times per week and used by millions of projects worldwide — was compromised by North Korean threat actors, creating a poisoned dependency that silently infected any developer environment that pulled the malicious version.
Affected products
- ·ChatGPT Desktop — versions below 1.2026.071
- ·Codex App — versions below 26.406.40811
- ·Codex CLI — versions below 0.119.0
- ·Atlas — versions below 1.2026.84.2
- ·Any npm project using Axios versions 1.14.1 or 0.30.4
How to Fix
Step-by-step remediation
For OpenAI macOS app users, the fix is a straightforward update. Open each installed OpenAI app and look for an in-app update mechanism. If none is available, visit openai.com and download the latest versions directly. The deadline is May 8, 2026 — after which macOS Gatekeeper will block any app signed with the revoked certificate from launching. Plan your updates well before that date to avoid operational disruption.
For development teams and DevSecOps engineers who may have used Axios in any project between late March and early April 2026, a thorough audit is needed. Run npm list axios --all across your project trees to identify any occurrence of versions 1.14.1 or 0.30.4. If found, treat the environment as potentially compromised: rotate all secrets and API keys accessible from that environment, check for the presence of the WAVESHAPER.V2 backdoor by looking for unexpected outbound connections to unfamiliar IPs, review .env files for unauthorized access, and check SSH key directories.
For GitHub Actions workflows specifically, the attack exploited the common practice of installing npm packages by version tag rather than pinning to a specific content digest. Replace any npm install axios@1.14.1 style references with digest-pinned equivalents using npm install axios@sha512-[hash] or equivalent lockfile-enforced pinning. Additionally, treat every CI runner as a potential breach point — use short-lived, narrowly scoped credentials, avoid pull_request_target triggers, and sandbox execution environments wherever possible.
What happened
The Axios supply chain attack was attributed by Google's Threat Intelligence Group to UNC1069, a North Korean state-sponsored hacking group. The attackers hijacked the npm account of the package maintainer and pushed two poisoned versions — 1.14.1 and 0.30.4 — that bundled a malicious dependency called plain-crypto-js. This dependency deployed a cross-platform backdoor named WAVESHAPER.V2 capable of infecting Windows, macOS, and Linux systems simultaneously.
OpenAI's GitHub Actions workflow for macOS app signing pulled Axios version 1.14.1 as part of its automated pipeline on March 31. The workflow had access to the certificate and notarization material used to cryptographically sign all four of OpenAI's macOS applications, telling macOS that these apps are genuine, trusted OpenAI software. When a signing certificate is exposed to a malicious payload — even briefly — standard computer security incident response requires treating it as compromised regardless of whether exfiltration can be confirmed.
OpenAI's analysis concluded that the signing certificate was "likely not successfully exfiltrated" due to the timing of payload execution, certificate injection sequencing, and other mitigating factors. However, the word "likely" is doing significant work in that sentence. The company correctly chose to revoke and rotate the certificate rather than rely on probabilistic analysis — because if the certificate had been silently stolen and used to sign malicious software, that software would appear to macOS as a fully trusted, legitimate OpenAI application.
Real-World Impact
The Axios and Trivy supply chain attacks of March 2026 represent the most significant open-source ecosystem compromise since the XZ Utils backdoor in 2024. Google has warned that "hundreds of thousands of stolen secrets" could be circulating as a result, with potential consequences including ransomware deployment, SaaS environment compromise, cryptocurrency theft, and further cascading supply chain attacks.
Two confirmed high-profile victims of the Trivy supply chain attack — which ran parallel to the Axios compromise — are AI data training startup Mercor and the European Commission. The LAPSUS$ extortion group claims to have exfiltrated approximately 4TB of data from Mercor, causing Meta to pause its work with the company. CERT-EU confirmed that threat actors used stolen AWS credentials from the Trivy attack to exfiltrate data from the Commission's cloud environment, affecting websites for up to 71 clients of Europa's web hosting service and outbound email communications. ShinyHunters has since publicly released that exfiltrated data on its dark web leak site.
GitGuardian's analysis found that 474 public repositories executed malicious code from the compromised Trivy GitHub Actions workflow, and 1,750 Python packages were configured to automatically pull the poisoned versions. TeamPCP, the cybercriminal group behind the Trivy attack and identified as CVE-2026-33634, has since pivoted from supply chain operations to monetizing the stolen credentials — partnering with Vect, LAPSUS$, and ShinyHunters while also launching a proprietary ransomware operation called CipherForce. The group reportedly validates stolen credentials using TruffleHog, launches discovery operations within 24 hours of validation, and then executes lateral movement and further data exfiltration.
FAQs
My ChatGPT Desktop app is working fine right now. Do I still need to update before May 8?
Yes, absolutely. Your app works now because macOS hasn't yet blocked the old certificate. On May 8, 2026, Apple and OpenAI will enforce the certificate revocation, and macOS Gatekeeper will prevent any app signed with the old certificate from launching. You will lose access to the app entirely if you don't update beforehand. Update now.
Did OpenAI confirm that user data or chat history was stolen?
OpenAI confirmed it found no evidence of user data access, system compromise, or intellectual property theft. The exposure was limited to the macOS app-signing certificate used in its CI/CD pipeline. The certificate is being revoked as a precautionary measure — not because confirmed exfiltration occurred, but because the possibility cannot be fully ruled out with certainty.
I use Axios in my Node.js project. How do I know if I'm affected?
Run npm list axios in your project directory. If you see version 1.14.1 or 0.30.4 in the output, you installed the malicious version. Upgrade to the latest safe version immediately with npm install axios@latest, then audit your environment for signs of credential theft — particularly check .env files, SSH keys, and cloud credential files for unexpected recent access.
Read Next
adobe acrobat · adobe reader
CVE-2026-34621: Adobe Releases Emergency Patch for Actively Exploited Acrobat Reader Flaw — Update Now
axios · npm
North Korea's UNC1069 Backdoored Axios npm Package — 183 Million Weekly Downloads Exposed to WAVESHAPER.V2 Backdoor
north korea · dprk
$285 Million Drift Hack: North Korea's UNC4736 Spent Six Months Building Trust Before Draining Everything in 10 Seconds
openai · gpt 5
OpenAI Launches GPT-5.4-Cyber: AI Built for Cybersecurity Defenders with Codex Security Fixing 3,000+ Critical Flaws
openai · chatgpt