OpenAI has disclosed a significant security incident tied to a March 31, 2026, supply chain attack on the widely used Axios JavaScript library, urging all macOS users to immediately update their ChatGPT and Codex CLI applications before the May 8, 2026, deadline.
On March 31, 2026, attackers executed a sophisticated software supply chain attack against Axios, the most popular JavaScript HTTP client with over 100 million weekly npm downloads, by hijacking the lead maintainer’s npm account.
The attacker changed the account email to an attacker-controlled ProtonMail address (ifstap@proton.me) and manually published two poisoned versions: axios@1.14.1 and axios@0.30.4, targeting both the modern 1.x and legacy 0.x release branches within 39 minutes of each other.
Critically, neither malicious version has any corresponding commit, tag, or release in the official Axios GitHub repository they existed solely on npm, and the publish method bypassed GitHub Actions’ OIDC Trusted Publisher safeguards by using a stolen npm access token.
The attacker pre-staged the operation roughly 18 hours in advance, first publishing a clean decoy package (plain-crypto-js@4.2.0) to establish a history in the npm registry and reduce suspicion.
The actual malicious payload, plain-crypto-js@4.2.1, was published as a phantom dependency injected into the compromised Axios package.json but never imported into the source code designed to execute a postinstall hook and drop a cross-platform Remote Access Trojan (RAT) on macOS, Windows, and Linux.
Automated npm security scanners flagged the malicious dependency within just 6 minutes of publication, and npm administrators removed the compromised packages approximately 3 hours after initial deployment.
How the Malware Worked
The phantom dependency’s setup.js dropper used layered obfuscation, an XOR cipher with the key OrDeR_7077 combined with base64 reversal and runtime string decoding to evade static analysis. Upon execution, the script fingerprinted the victim’s operating system and dispatched platform-specific payloads:
- macOS: An AppleScript dropper downloaded a persistent binary saved to
/Library/Caches/com.apple.act.mondmimicking an Apple system daemon launched in the background and connected to the C&C server atsfrclak[.]com:8000 - Windows: A VBScript launcher (
6202033.vbs) wrote a renamed PowerShell binary (wt.exe) disguised as Windows Terminal to%PROGRAMDATA%, executing a fileless second-stage payload entirely in memory using[scriptblock]::Create() - Linux: A Python-based RAT (
/tmp/ld.py) was downloaded and executed detached vianohup, orphaned to PID 1 to survive parent process termination
In a particularly sophisticated anti-forensics move, setup.js self-deleted after execution, removed the malicious package.json, and swapped in a pre-staged clean stub, leaving any post-infection inspection of node_modules/plain-crypto-js/ appearing completely benign. Google has associated this broader hacking operation with a North Korean threat actor group.
OpenAI’s Exposure: GitHub Actions and macOS Code Signing
OpenAI’s exposure to this attack came through a GitHub Actions workflow used to build, sign, and notarize its macOS applications.
That automated CI/CD pipeline downloaded the compromised Axios artifact on March 31, and crucially, the workflow had access to a signing and notarization certificate used to authenticate macOS binaries as legitimate OpenAI software.
This created a scenario where, if the signing certificate had been exfiltrated, a threat actor could theoretically distribute a malicious app that macOS would accept as an authentic OpenAI application.
OpenAI’s subsequent investigation concluded the certificate was likely not exfiltrated, and the company found no evidence that user data, API keys, intellectual property, or its core systems were accessed or altered.
Nevertheless, the company is treating this with maximum caution: it is revoking the old certificate and issuing new signing credentials for all macOS applications.
What OpenAI Users Must Do
OpenAI has issued a 30-day update window before enforcing the new certificate, with a hard deadline of May 8, 2026, after which older macOS app versions will stop receiving updates and may cease functioning entirely. Affected applications include ChatGPT for macOS and Codex CLI. Users can update through the in-app update mechanism or download directly from official OpenAI links.
Importantly, no password changes are required; neither passwords nor OpenAI API keys were affected by this incident. The attack did not impact Android, Linux, or Windows users of OpenAI applications; only the macOS-specific signing workflow was in the affected blast radius.
Palo Alto Networks Unit 42 researchers observed widespread impact across the Government, Finance, Retail, Healthcare, and Technology sectors stemming from the broader Axios compromise.
Developer and Enterprise Remediation
For organizations whose CI/CD pipelines may have pulled the compromised Axios versions during the roughly three-hour exposure window, Trend Micro and Arctic Wolf strongly advise the following:
- Pin to safe versions: Downgrade to
axios@1.14.0(1.x branch) oraxios@0.30.3(0.x branch) immediately - Scan for the phantom dependency: The presence of
node_modules/plain-crypto-js/is definitive evidence of compromise - Rotate all credentials: npm tokens, AWS keys, SSH keys, CI/CD secrets, and
.envValues should all be rotated - Use
npm ci --ignore-scriptsas a standing policy to prevent post-install hook execution - Block C&C at the DNS/network level: Add
sfrclak.com(IP:142.11.206.73) to organizational blocklists - If RAT artifacts are found, do not attempt to clean in place; rebuild from a known-good state.
This incident reinforces a critical but often overlooked risk: a single maintainer account compromise on a package with 100 million weekly downloads can cascade into exposure across millions of downstream applications in minutes.
The attack’s success in bypassing OIDC Trusted Publisher safeguards by using a stolen npm token rather than going through the official CI/CD pipeline underscores the need for registry-level authentication reforms, such as mandatory OIDC binding for high-download packages and account-change cooldown windows.
FAQ
Q1: Was my OpenAI account or password compromised in the Axios supply chain attack?
OpenAI confirmed that passwords and API keys were not affected, and that no user data was accessed.
Q2: Which OpenAI apps require an immediate update due to this incident?
Only macOS apps are affected, specifically ChatGPT for macOS and Codex CLI.
Q3: What is the deadline to update OpenAI macOS apps before they stop working?
Users must update before May 8, 2026, after which older unupdated versions may cease to function.
Q4: How can developers check if their project was exposed to the malicious Axios versions?
Check for the presence of node_modules/plain-crypto-js/ in your project; its existence confirms compromise.
Site: thecybrdef.com
About the Author
