Cyber Incident Victim: OpenAI

On March 31 2026 the npm account of the lead maintainer of the Axios HTTP client library was compromised and two malicious versions of the package, labeled 1.14.1 and 0.30.4, were published. These versions contained a malicious dependency called plain‑crypto-js that deployed the cross‑platform backdoor WAVESHAPER.V2 on Windows, macOS and Linux systems. Google’s Threat Intelligence Group attributed the compromise to the North Korean‑linked tracking designation UNC1069. OpenAI’s internal GitHub Actions workflow, which is used as part of the macOS app‑signing process for products such as ChatGPT Desktop, Codex, Codex CLI and Atlas, automatically downloaded and executed the malicious Axios version 1.14.1. The workflow had access to the code‑signing certificate and notarization material that OpenAI uses to attest that its macOS applications are legitimate. After investigating the incident OpenAI stated that, based on the timing of the payload execution, the certificate injection into the job, the sequencing of the workflow steps and other mitigating factors, the signing certificate was likely not successfully exfiltrated by the malicious payload. The company found no evidence that any user data, internal systems or intellectual property had been accessed, altered or compromised.

In response OpenAI decided to revoke and rotate the signing certificate as a precautionary measure. Beginning May 8 2026 older versions of all OpenAI macOS desktop applications will no longer receive updates or support, and macOS security protections will block by default any attempt to download or launch software signed with the previous certificate. To allow users time to transition OpenAI provided a 30‑day window ending on that date and released the first builds signed with the new certificate: ChatGPT Desktop 1.2026.071, Codex App 26.406.40811, Codex CLI 0.119.0 and Atlas 1.2026.84.2. OpenAI is working with Apple to prevent new notarizations of software using the old certificate, ensuring that any unauthorized third‑party attempt to sign code with the revoked certificate would be blocked by macOS unless a user explicitly bypasses the protections. The company emphasized that, even if the certificate had been compromised, an attacker could only use it to sign malicious code that would appear as legitimate OpenAI software. OpenAI also confirmed that passwords and OpenAI API keys were not affected by the incident and noted that the root cause was a misconfiguration in the GitHub Actions workflow, which has since been corrected.

The Axios compromise was one of two significant supply chain attacks observed in March 2026; the other involved the Trivy vulnerability scanner and was attributed to a cybercriminal group known as TeamPCP (also tracked as UNC6780). That intrusion deployed a credential stealer named SANDCLOCK, which was subsequently used to compromise additional npm packages and to publish malicious versions of projects such as LiteLLM and Telnyx to PyPI. The broader campaign resulted in the assignment of CVE‑2026‑33634, which was added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, obligating Federal Civilian Executive Branch agencies to apply mitigations by April 9 2026. Security researchers reported that Huntress observed evidence of the malicious Axios execution on 135 machines and that Wiz detected the malicious version in approximately three percent of the environments they monitored. These facts describe the scope, the attacker’s actions, OpenAI’s detection and response, and the immediate consequences for its macOS user base.