OpenAI revealed that a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31. However, the company confirmed that no user data or internal systems suffered compromise.
“Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps,” OpenAI said in a post last week. “We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered.”
Meanwhile, this disclosure follows a report from Google Threat Intelligence Group (GTIG), which attributed the supply chain compromise of a popular npm package to a North Korean hacking group tracked as UNC1069.
The attack allowed threat actors to hijack the package maintainer’s npm account and push two poisoned versions (1.14.1 and 0.30.4). These versions included a malicious dependency named “plain-crypto-js,” which deployed a cross-platform backdoor called WAVESHAPER.V2 to infect Windows, macOS, and Linux systems.
Malicious Axios Version Executed in Signing Pipeline
Specifically, OpenAI confirmed that its GitHub Actions workflow—used in the macOS app-signing process—downloaded and executed Axios version 1.14.1. Additionally, this workflow accessed a certificate and notarization materials used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas.
“Our analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors,” the company said.
Even though investigators found no data exfiltration, OpenAI now treats the certificate as compromised and has started revoking and rotating it. Consequently, older versions of all macOS desktop apps will stop receiving updates or support starting May 8, 2026.
Furthermore, apps signed with the previous certificate will be blocked by macOS security protections by default, preventing downloads or execution.
The earliest releases signed with the updated certificate include:
- ChatGPT Desktop – 1.2026.071
- Codex App – 26.406.40811
- Codex CLI – 0.119.0
- Atlas – 1.2026.84.2
In addition, OpenAI continues working with Apple to ensure that software signed with the previous certificate cannot receive new notarization. The company highlighted the 30-day window until May 8, 2026 as a way to reduce disruption and give users time to update.
“In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software,” OpenAI said. “We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third-party would be blocked by default by macOS security protections unless a user explicitly bypasses them.”
Axios and Trivy Attacks Signal Broader Supply Chain Threats
Notably, the breach of Axios, a widely used HTTP client library, marked one of two major supply chain attacks in March targeting the open-source ecosystem. The second incident targeted Trivy, a vulnerability scanner maintained by Aqua Security, which triggered cascading effects across five ecosystems.
Attackers from TeamPCP (aka UNC6780) deployed a credential stealer called SANDCLOCK, which extracted sensitive data from developer environments. Subsequently, they used stolen credentials to compromise npm packages and deploy a self-propagating worm named CanisterWorm.
Shortly after, attackers used stolen secrets from the Trivy intrusion to inject malware into GitHub Actions workflows maintained by Checkmarx. Then, they escalated the attack by publishing malicious versions of LiteLLM and Telnyx to the Python Package Index (PyPI).
“The Telnyx compromise indicates a continued change in the techniques used in TeamPCP’s supply chain activity, with adjustments to tooling, delivery methods, and platform coverage,” Trend Micro said in an analysis of the attack.
“In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling, evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence.”
On Windows systems, the Telnyx SDK compromise deployed an executable named “msbuild.exe.” This file used multiple obfuscation techniques to evade detection and extracted DonutLoader from a PNG image embedded in the binary. As a result, attackers loaded a full-featured trojan and a beacon linked to AdaptixC2, an open-source command-and-control framework.
Ongoing Campaign Identified as CVE-2026-33634
Security researchers have now classified the campaign as CVE-2026-33634, with analyses published by multiple cybersecurity firms.
- CrowdStrike
- FUTURESEARCH
- Hexastrike
- Kudelski Security
- Microsoft
- OpenSourceMalware
- Palo Alto Networks Unit 42
- ReversingLabs
- SOCRadar
- Sonatype
- StepSecurity
- Synk
- Trend Micro
- TRUESEC
- Wiz
Meanwhile, although TeamPCP slowed its supply chain attacks, the group has shifted toward monetizing stolen credentials. It has reportedly partnered with groups like Vect, LAPSUS$, and ShinyHunters, and even launched a ransomware operation called CipherForce.
Additionally, attackers have started leveraging stolen data to infiltrate cloud and SaaS environments, marking a significant escalation.
“The credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data,” Wiz researchers said.
“While the speed at which they were used suggests that it was the work of the same threat actors responsible for the supply chain operations, we are not able to rule out the secrets being shared with other groups and used by them.”
Importantly, Google warned that “hundreds of thousands of stolen secrets” may now circulate due to the Axios and Trivy attacks, potentially fueling further supply chain attacks, SaaS compromises, ransomware incidents, and cryptocurrency theft.
Two confirmed victims of the Trivy attack include Mercor and the European Commission. Reports indicate that attackers exfiltrated data, with LAPSUS$ claiming to possess 4TB of data from Mercor. Consequently, Meta paused its collaboration with the company, according of a WIRED report.
Additionally, CERT-EU revealed that attackers used stolen AWS credentials to extract data from the Commission’s cloud environment, including website data and Outbound communications. Later, ShinyHunters publicly released the dataset on the dark web.
Further analysis from GitGuardian showed that 474 public repositories executed malicious code from the Compromised Trivy-action Workflow, while 1,750 Python packages automatically pulled the poisoned versions.
“TeamPCP is deliberately targeting security tools that run with elevated privileges by design. Compromising them gives the attacker access to some of the most sensitive environments in the organization, because security tools are typically granted broad access by design,” Brett Leatherman of the FBI said.
Security Recommendations to Prevent Future Attacks
Ultimately, these incidents highlight the risks of Implicit trust in Open-source ecosystems.
“Trust was assumed where it should have been verified,” Mark Lechner of Docker said.
“The organizations that came through these incidents with minimal damage had already begun replacing implicit trust with explicit verification at every layer of their stack…”
To Mitigate risks, experts recommend:
- Pin packages by digest or commit SHA
- Use Docker Hardened Images (DHI)
- Enforce minimum release age Settings
- Treat CI runners as potential breach points
- Use Short-lived Credentials
- Deploy internal mirrors or Artifact proxies
- Implement canary tokens
- Audit for Hard-coded secrets
- Run AI coding agents in Sandboxed environments
- Use trusted publishing
- Enable Two-factor Authentication (2FA)
Finally, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-33634 to its Known Exploited Vulnerabilities (KEV) catalog. As a result, federal agencies must apply Mitigations by April 9, 2026.
“The number of recent software supply chain attacks is overwhelming,” Charles Carmakal of Mandiant said. “Defenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future attacks.
Source: TheHackerNews
Read more at Impreza News
