Supply‑chain cyberattacks surface

A supply-chain cyberattack has now touched both retail and software, with Ralph Lauren and users of the Axios code library caught in separate April disclosures. (escudodigital.com) (openai.com) In Ralph Lauren’s case, DigitalShield reported on April 14 that the intrusion appears to have come through a third party rather than Ralph Lauren’s own systems, and it named CEVA Logistics among the partners referenced in the campaign. The report did not say Ralph Lauren or CEVA had publicly confirmed the full scope of the incident. (escudodigital.com) A supply-chain attack works like tampering with a vendor before the shipment reaches the customer: attackers breach a supplier, software package, or service provider, then ride that trust into downstream targets. That is different from breaking directly into a company’s network through its own login page or servers. (securityweek.com) (therecord.media) The software case was more concrete. Google Threat Intelligence Group and Microsoft said attackers compromised the official Axios package on the Node Package Manager registry on March 31, 2026, publishing malicious versions 1.14.1 and 0.30.4. (cloud.google.com) (microsoft.com) Axios is a widely used JavaScript tool for sending data between apps and servers, so poisoned updates can spread through developer laptops and automated build systems in minutes. Google said the malicious releases were live between 00:21 and 03:20 Coordinated Universal Time, and Microsoft said they pulled second-stage malware from attacker-controlled servers. (cloud.google.com) (microsoft.com) OpenAI said on April 10 that one of its GitHub Actions workflows downloaded and executed Axios 1.14.1 on March 31 during a macOS app-signing process. The company said that workflow had access to certificate and notarization material used for ChatGPT Desktop, Codex, Codex command-line interface, and Atlas. (openai.com) OpenAI said it found no evidence that user data, internal systems, or production environments were compromised, but it still revoked and replaced the affected macOS signing certificate and rotated related credentials. It also said users should update ChatGPT Desktop for macOS to version 1.2026.098 or later. (openai.com) Google tracks the Axios operation as UNC1069, while Microsoft attributes it to Sapphire Sleet, a North Korean state actor. Both companies said the malicious package used a fake dependency called plain-crypto-js to install malware on Windows, macOS, and Linux systems. (cloud.google.com) (microsoft.com) The two cases show the same weak point from different angles: in fashion, the outside partner handling part of the business; in software, the outside package handling part of the code. In both, the initial trust relationship appears to have mattered more than the target’s own front door. (escudodigital.com) (openai.com) (cloud.google.com)