OpenAI has taken action to secure its macOS applications following a supply chain attack involving a malicious version of the Axios library. The incident, which occurred on March 31, did not result in any user data breaches or system compromises, according to the company.
OpenAI’s Swift Response
In response to this threat, OpenAI is implementing measures to protect the integrity of its macOS apps. Although no evidence was found of data access, system compromise, or software alteration, the company is prudently revoking and rotating the certificate used for app signing. This move is intended to ensure that the applications remain secure and trustworthy for all users.
The breach was linked to a North Korean hacking group, UNC1069, which exploited npm package vulnerabilities to distribute backdoor software. OpenAI’s GitHub Actions workflow unintentionally downloaded a compromised version of Axios, but due to preventive factors, the signing certificate was not exfiltrated.
Implications for macOS Users
With the certification changes, older macOS app versions will no longer receive updates post-May 8, 2026. The security measures implemented by OpenAI mean that apps signed with the previous certificate will be blocked by default, safeguarding users from potential threats.
OpenAI is working closely with Apple to prevent any new notarizations of software signed with the old certificate. This cooperation aims to minimize user disruption and allow users time to transition to updated app versions.
Broader Supply Chain Threats
This Axios incident is one of two significant supply chain attacks in March, the other targeting the vulnerability scanner Trivy. These attacks have widespread implications, affecting various software ecosystems and highlighting vulnerabilities in open-source dependencies.
The group behind these attacks, TeamPCP, has been linked to other cybercriminal activities, including credential theft and ransomware operations. Their tactics have evolved rapidly, targeting security tools with elevated privileges to compromise sensitive environments.
Google and other security organizations warn that these incidents could lead to further software supply chain attacks and have significant repercussions, including data breaches and ransomware incidents. Developers and organizations are urged to adopt robust security practices to mitigate these risks.
In light of these threats, both Docker and PyPI maintainers have issued guidelines to help developers enhance their security protocols, including pinning package versions, using trusted publishing methods, and implementing two-factor authentication.
As the cybersecurity landscape becomes increasingly complex, vigilance and proactive measures are essential to protect against evolving threats.
