OpenAI Revokes macOS Cert After Axios npm Supply Chain Attack

OpenAI has initiated an emergency certificate revocation and rotation for all macOS desktop applications after a North Korea-linked threat actor compromised the widely used Axios npm library, briefly exposing the company’s code-signing pipeline on March 31, 2026.

The company confirmed that no user data, intellectual property, or software was altered, but is enforcing mandatory app updates for all macOS users before a hard deadline of May 8, 2026.

The Axios Supply Chain Attack

On March 31, 2026, between 00:21 and 03:20 UTC, a North Korea-nexus threat actor tracked as UNC1069 gained unauthorized access to an Axios npm maintainer’s account and published two malicious package versions, v1.14.1 and v0.30.4.

Google’s Threat Intelligence Group (GTIG) attributed the campaign to UNC1069 based on malware code overlap, infrastructure reuse, and alignment with previously observed North Korean tactics.

The malicious releases introduced a concealed dependency called plain-crypto-js a stealthy, cross-platform Remote Access Trojan (RAT) capable of executing hidden code, exfiltrating credentials, and establishing persistent remote access.

With Axios recording over 100 million weekly npm downloads, the three-hour window during which the tainted versions were live represented a massive attack surface; every CI/CD pipeline that triggered. npm install During that period pulled compromised code.

How OpenAI’s Pipeline Was Hit

OpenAI’s macOS app-signing process relies on a GitHub Actions workflow that, on March 31, automatically downloaded and executed the malicious Axios v1.14.1 during its normal build routine.

This workflow held privileged access to the code-signing certificate and notarization materials used to authenticate OpenAI’s macOS applications, including ChatGPT Desktop, Codex, Codex CLI, and Atlas, as legitimate software from OpenAI.

The root cause was a misconfiguration in the GitHub Actions workflow: the action referenced a floating version tag rather than a pinned, specific commit hash. It lacked a configured minimumReleaseAge parameter for new package versions.

This meant the workflow blindly trusted and consumed the latest published version of Axios the moment it appeared, with no delay or integrity verification gate in place.

OpenAI’s forensic analysis concluded that the signing certificate was likely not successfully exfiltrated, owing to the timing of the payload’s execution relative to the certificate injection sequence within the job.

Nevertheless, the company engaged a third-party digital forensics and incident response (DFIR) firm, audited all prior notarization events associated with the old certificate, and confirmed that no unauthorized software was signed using the exposed credentials.

Certificate Revocation and Mandatory App Updates

Applying a zero-trust posture, OpenAI is treating the certificate as fully compromised regardless of forensic findings. The company has already:

Rotated the macOS code-signing certificate and published new builds for all affected applications
Halted all new notarizations using the old certificate, ensuring any rogue app signed with it will be blocked by macOS Gatekeeper by default
Partnered with Apple to prevent any future notarization of software signed with the previous certificate
Reviewed all historical notarization events to validate that no unexpected binaries were authorized

Effective May 8, 2026, older macOS app versions will lose update support and may stop functioning entirely. macOS security protections will block new downloads and first launches of apps signed with the revoked certificate once full revocation is enforced.

The minimum versions that carry the updated certificate are:

Application	Minimum Required Version
ChatGPT Desktop	1.2026.051
Codex App	26.406.40811
Codex CLI	0.119.0
Atlas	1.2026.84.2

All macOS users should update immediately via the in-app update prompt or download directly from OpenAI’s official pages at chatgpt.com/download, chatgpt.com/codex, and chatgpt.com/atlas. Users must avoid installing any OpenAI app from emails, ads, chat messages, or third-party download sites.

Broader Supply Chain Security Implications

This incident is a textbook example of a software supply chain attack, in which adversaries compromise a trusted upstream dependency to achieve downstream privilege escalation across thousands of organizations simultaneously.

GTIG has urged all developers and organizations using Axios to audit dependency trees for compromised versions, rotate any potentially exposed secrets, and implement strict version pinning with enhanced supply chain monitoring.

Security experts emphasize that the industry-standard safeguard of pinning dependencies to specific commit hashes rather than mutable version tags would have entirely prevented OpenAI’s workflow from pulling the malicious release.

Organizations running CI/CD pipelines are advised to enforce minimumReleaseAge policies for new packages, deploy software composition analysis (SCA) tools, and apply least-privilege access principles to code-signing material within build environments.

The 30-day grace period OpenAI has provided before full revocation is a deliberate decision to minimize disruption.

Since the new notarization with the old certificate is already blocked, any fraudulent app signed with it will fail macOS Gatekeeper checks without requiring user action, providing a safety buffer while legitimate users complete their updates.