OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

Dev.to / 4/24/2026

📰 NewsDeveloper Stack & InfrastructureSignals & Early TrendsTools & Practical UsageIndustry & Market Moves

共有:

Key Points

A North Korean threat group, UNC1069, carried out an npm Axios supply-chain attack by poisoning specific library versions with a backdoor (WAVESHAPER.V2).
The malicious versions were inadvertently pulled into OpenAI’s macOS app signing GitHub Actions workflow, leading OpenAI to revoke the affected macOS app certificate for multiple products.
OpenAI reported no evidence that signing credentials were exfiltrated or that user data was compromised, but the signing keys were exposed by the incident.
OpenAI required users to update impacted apps by May 8, 2026, including ChatGPT Desktop, Codex, Codex CLI, and Atlas.
The incident underscores the heightened risk that software supply chain compromises pose to AI software delivery pipelines.

Forensic Summary

A North Korean threat group (UNC1069) compromised the popular npm Axios library via a supply chain attack, injecting a backdoor (WAVESHAPER.V2) into two poisoned versions that were inadvertently downloaded by OpenAI's macOS app-signing GitHub Actions workflow. Although OpenAI found no evidence of certificate exfiltration or user data compromise, the incident exposed the signing credentials for ChatGPT Desktop, Codex, Codex CLI, and Atlas, prompting certificate revocation and mandatory app updates by May 8, 2026. The attack highlights the acute risk of software supply chain compromises against AI product delivery pipelines.

Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/openai-revokes-macos-app-certificate-after-malicious-axios-supply-chain-incident/

Black Hat USA

AI Business

I’m working on an AGI and human council system that could make the world better and keep checks and balances in place to prevent catastrophes. It could change the world. Really. Im trying to get ahead of the game before an AGI is developed by someone who only has their best interest in mind.

Reddit r/artificial

Deepseek V4 Flash and Non-Flash Out on HuggingFace

Reddit r/LocalLLaMA

DeepSeek V4 Flash & Pro Now out on API

Reddit r/LocalLLaMA

I’m building a post-SaaS app catalog on Base, and here’s what that actually means

Dev.to

OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

Key Points

Forensic Summary

Related Articles

Black Hat USA

I’m working on an AGI and human council system that could make the world better and keep checks and balances in place to prevent catastrophes. It could change the world. Really. Im trying to get ahead of the game before an AGI is developed by someone who only has their best interest in mind.

Deepseek V4 Flash and Non-Flash Out on HuggingFace

DeepSeek V4 Flash & Pro Now out on API

I’m building a post-SaaS app catalog on Base, and here’s what that actually means

関連おすすめサービス

Notta搭載AI議事録イヤホン ZENCHORD1

AI搭載ボイスレコーダー Plaud

画像高画質化AIツール Aiarty Image Enhancer