Supply‑chain trust break

A software package that OpenAI used in its Mac app-signing pipeline was compromised on March 31, 2026, and the company rotated its macOS certificates on April 10. (openai.com) Code-signing is the digital stamp that tells macOS an app really came from a named developer. OpenAI said a GitHub Actions job in that signing process downloaded and executed malicious Axios version 1.14.1, and that job had access to certificate and notarization material for ChatGPT Desktop, Codex App, Codex Command Line Interface, and Atlas. (openai.com) OpenAI said it found no evidence that user data was accessed, its systems or intellectual property were compromised, or its software was altered. It still revoked and rotated the certificate, published new Mac builds, and said older versions will stop receiving updates or support on May 8, 2026. (openai.com) The immediate risk was not a stolen chat history or exposed application programming interface key. The risk was that a leaked signing certificate could let someone make a fake OpenAI app look legitimate to macOS users. (axios.com) (openai.com) That is why OpenAI’s Mac guidance changed at the certificate level, not just the app version level. Its help center now says the Team ID stayed the same, but the organization name and certificate fingerprint changed, so companies that allowlist by certificate details need to update those rules. (help.openai.com) The broader incident started in the Node Package Manager registry, where attackers published malicious Axios versions 1.14.1 and 0.30.4 under the real package name. Google Threat Intelligence Group said the attacker added a dependency called plain-crypto-js version 4.2.1, which used an install script to run an obfuscated dropper. (cloud.google.com) Microsoft said those poisoned Axios releases contacted command-and-control infrastructure and downloaded a second-stage remote access trojan, with the activity attributed to the North Korean state actor Sapphire Sleet. Google attributed the campaign to a North Korea-linked cluster it tracks as UNC1069. (microsoft.com) (cloud.google.com) Google said the malicious Axios packages were live from 00:21 to 03:20 Coordinated Universal Time on March 31, 2026. Datadog said Axios has more than 100 million weekly downloads and about 174,000 dependent Node Package Manager packages, which is why one bad release could spread into build systems far beyond a single developer laptop. (cloud.google.com) (securitylabs.datadoghq.com) OpenAI said its analysis suggests the signing certificate in that workflow was likely not exfiltrated because of the timing of the payload, when the certificate was injected into the job, and other mitigations. The company said it also reviewed notarization activity tied to the old certificate and found no unexpected software notarization. (openai.com) Axios maintainer Jason Saayman said in a GitHub post-mortem that his npm account was compromised and used to publish the two malicious releases directly to the registry. That detail matters because the attacker did not need to break the source code repository to poison downstream builds. (github.com) The result is a breach measured in trust, not in leaked records. OpenAI’s fix was to replace the digital stamp on its Mac apps before anyone could try to reuse the old one. (openai.com)