{"id":45354,"date":"2026-04-13T20:08:11","date_gmt":"2026-04-13T12:08:11","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/13\/openai-revokes-macos-app-certificate-after-malicious-axios-supply-chain-incident\/"},"modified":"2026-04-13T20:08:11","modified_gmt":"2026-04-13T12:08:11","slug":"openai-revokes-macos-app-certificate-after-malicious-axios-supply-chain-incident","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/13\/openai-revokes-macos-app-certificate-after-malicious-axios-supply-chain-incident\/","title":{"rendered":"OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident"},"content":{"rendered":"<div style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjE5gb0KURzHAgdXMKzxbNFW1AJ8G2ezWXrHrLReEmbX6BKaG3-tIjiDVcjk-4nIZ3Kg2_564qiWXVVGcERIi4vaUvjqG-BuENXb7i6P3M2rdOHz-S9DOcKIHZ-pa1odUyUdTI-lLify_9CRXYcZu3hyY2LXeTMp1wMRr7mnu7yQdIIjGrFXCAecG4-XVpS\/s1600\/openai.jpg\" style=\"clear: left; display: block; float: left; padding: 1em 0px; text-align: center;\"><img decoding=\"async\" border=\"0\" data-original-height=\"470\" data-original-width=\"900\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjE5gb0KURzHAgdXMKzxbNFW1AJ8G2ezWXrHrLReEmbX6BKaG3-tIjiDVcjk-4nIZ3Kg2_564qiWXVVGcERIi4vaUvjqG-BuENXb7i6P3M2rdOHz-S9DOcKIHZ-pa1odUyUdTI-lLify_9CRXYcZu3hyY2LXeTMp1wMRr7mnu7yQdIIjGrFXCAecG4-XVpS\/s1600\/openai.jpg\" alt=\"OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident\" \/><\/a><\/div>\n<p>OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised.<\/p>\n<p>&#8220;Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps,&#8221;&nbsp;OpenAI <a href=\"https:\/\/openai.com\/index\/axios-developer-tool-compromise\/\">said<\/a> in a post last week. &#8220;We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was&nbsp;altered.&#8221;<\/p>\n<p>The&nbsp;disclosure comes a little over a week after Google Threat Intelligence Group (GTIG) attributed&nbsp;the <a href=\"https:\/\/thehackernews.com\/2026\/04\/google-attributes-axios-npm-supply.html\">supply chain compromise<\/a> of the popular npm package to a North Korean hacking group it tracks&nbsp;as <a href=\"https:\/\/thehackernews.com\/2026\/04\/unc1069-social-engineering-of-axios.html\">UNC1069<\/a>.<\/p>\n<p>The&nbsp;attack enabled the threat actors to hijack the package maintainer&#8217;s npm account to push two poisoned versions 1.14.1&nbsp;and&nbsp;0.30.4&nbsp;that came embedded with a malicious dependency named &#8220;plain-crypto-js,&#8221; which deployed a cross-platform backdoor called WAVESHAPER.V2&nbsp;to infect Windows, macOS, and Linux&nbsp;systems.<\/p>\n<p>The&nbsp;artificial intelligence (AI) company said a GitHub Actions workflow it uses as part of its macOS app-signing process downloaded and executed Axios version 1.14.1. The&nbsp;workflow, it added, had access to a certificate and notarization material used for signing ChatGPT Desktop, Codex, Codex CLI, and&nbsp;Atlas.<\/p>\n<p>&#8220;Our analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors,&#8221; the company&nbsp;said.<\/p>\n<p>Despite finding no evidence of data exfiltration, OpenAI said it&#8217;s treating the certificate as compromised and that it&#8217;s revoking and rotating it. As&nbsp;a result, older versions of all its macOS desktop apps will no longer receive updates or support starting May 8,&nbsp;2026.<\/p>\n<p>This&nbsp;also means that apps signed with the previous certificate will be blocked by macOS security protections by default, preventing them from being downloaded or launched. The&nbsp;earliest releases signed with their updated certificate are listed below&nbsp;&#8211;<\/p>\n<ul>\n<li>ChatGPT Desktop &#8211; 1.2026.071<\/li>\n<li>Codex App &#8211; 26.406.40811<\/li>\n<li>Codex CLI &#8211; 0.119.0<\/li>\n<li>Atlas &#8211; 1.2026.84.2<\/li>\n<\/ul>\n<p>As&nbsp;part of its remediation efforts, OpenAI is also working with Apple to ensure software signed with the previous certificate cannot be newly notarized. The&nbsp;30-day window till May 8, 2026, is a way to minimize user disruption and give them enough time to make sure they are updated to the latest version, it pointed&nbsp;out.&nbsp;<\/p>\n<p>&#8220;In the event&nbsp;that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software,&#8221; OpenAI said. &#8220;We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third-party would be blocked by default by macOS security protections unless a user explicitly bypasses&nbsp;them.&#8221;<\/p>\n<p> <a name=\"more\"><\/a> <\/p>\n<h3>Two Supply Chain Attacks Rock&nbsp;March<\/h3>\n<p>The&nbsp;breach of Axios, one of the most widely used HTTP client libraries, was one of the two major supply chain attacks that took place in March aimed at the open-source ecosystem.&nbsp;The <a href=\"https:\/\/ramimac.me\/teampcp\/\">other&nbsp;incident<\/a>&nbsp;targeted <a href=\"https:\/\/www.aquasec.com\/blog\/trivy-supply-chain-attack-what-you-need-to-know\/\">Trivy<\/a>, a vulnerability scanner maintained by Aqua Security, resulting&nbsp;in <a href=\"https:\/\/snyk.io\/articles\/trivy-github-actions-supply-chain-compromise\/\">cascading&nbsp;impacts<\/a> across five ecosystems, affecting a number of other popular libraries depending on&nbsp;it.<\/p>\n<p>The&nbsp;attack, the work of a cybercriminal group&nbsp;called <a href=\"https:\/\/thehackernews.com\/2026\/03\/teampcp-pushes-malicious-telnyx.html\">TeamPCP<\/a> (aka UNC6780), deployed a credential stealer dubbed SANDCLOCK that facilitated the extraction of sensitive data from developer environments. Subsequently, the threat actors weaponized the stolen credentials to compromise npm packages and push a self-propagating worm&nbsp;named <a href=\"https:\/\/www.stepsecurity.io\/blog\/canisterworm-how-a-self-propagating-npm-worm-is-spreading-backdoors-across-the-ecosystem\">CanisterWorm<\/a>.<\/p>\n<p>Days&nbsp;later, the crew used secrets pilfered from the Trivy intrusion to inject the same malware into two GitHub Actions workflows maintained by Checkmarx. The&nbsp;threat actors then followed it up by publishing malicious versions&nbsp;of <a href=\"https:\/\/docs.litellm.ai\/blog\/security-update-march-2026\">LiteLLM<\/a>&nbsp;and <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/telnyx-pypi-2026-teampcp-supply-chain-attacks\">Telnyx<\/a> to the Python Package Index (PyPI), both of which use Trivy in their CI\/CD&nbsp;pipeline.<\/p>\n<p>&#8220;The Telnyx compromise indicates a continued change in the techniques used in TeamPCP&#8217;s supply chain activity, with adjustments to tooling, delivery methods, and platform coverage,&#8221; Trend&nbsp;Micro <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/teampcp-telnyx-attack-marks-a-shift-in-tactics.html\">said<\/a> in&nbsp;an <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/your-ai-stack-just-handed-over-your-root-keys-inside-the-litellm-pypi-breach.html\">analysis of the&nbsp;attack<\/a>.<\/p>\n<p>&#8220;In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling, evolving their delivery from inline Base64 to .pth&nbsp;auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence.&#8221;<\/p>\n<p>On&nbsp;<a href=\"https:\/\/www.ox.security\/blog\/teampcps-telnyx-windows-malware-technical-analysis\/\">Windows&nbsp;systems<\/a>, the hack of&nbsp;the <a href=\"https:\/\/x.com\/TheEnergyStory\/status\/2038238773721325996\">Telnyx Python&nbsp;SDK<\/a> resulted in the deployment of an executable named &#8220;msbuild.exe&#8221; that employs several obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image present within the binary to load a full-featured trojan and&nbsp;a <a href=\"https:\/\/www.threatlocker.com\/blog\/supply-chain-attack-security-scanner-compromise-leads-to-widespread-infostealer-and-ransomware-pivot\">beacon<\/a> associated&nbsp;with <a href=\"https:\/\/thehackernews.com\/2025\/10\/russian-ransomware-gangs-weaponize-open.html\">AdaptixC2<\/a>, an open-source command-and-control (C2) framework.<\/p>\n<p>Additional analyses of the campaign, now identified as CVE-2026-33634, have been published by various cybersecurity vendors&nbsp;&#8211;<\/p>\n<ul>\n<li><a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise\/\">CrowdStrike<\/a><\/li>\n<li><a href=\"https:\/\/futuresearch.ai\/blog\/no-prompt-injection-required\/\">FUTURESEARCH<\/a><\/li>\n<li><a href=\"https:\/\/hexastrike.com\/resources\/blog\/threat-intelligence\/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk\/\">Hexastrike<\/a><\/li>\n<li><a href=\"https:\/\/kudelskisecurity.com\/research\/investigating-two-variants-of-the-trivy-supply-chain-compromise\">Kudelski Security<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/24\/detecting-investigating-defending-against-trivy-supply-chain-compromise\/\">Microsoft<\/a><\/li>\n<li><a href=\"https:\/\/opensourcemalware.com\/blog\/teampcp-supply-chain-campaign\">OpenSourceMalware<\/a><\/li>\n<li><a href=\"https:\/\/unit42.paloaltonetworks.com\/teampcp-supply-chain-attacks\/\">Palo Alto Networks Unit 42<\/a><\/li>\n<li><a href=\"https:\/\/www.reversinglabs.com\/blog\/teampcp-supply-chain-attack-spreads\">ReversingLabs<\/a><\/li>\n<li><a href=\"https:\/\/socradar.io\/blog\/teampcp-checkmarx-github-actions-attack\/\">SOCRadar<\/a><\/li>\n<li><a href=\"https:\/\/www.sonatype.com\/blog\/compromised-litellm-pypi-package-delivers-multi-stage-credential-stealer\">Sonatype<\/a><\/li>\n<li><a href=\"https:\/\/www.stepsecurity.io\/blog\/litellm-credential-stealer-hidden-in-pypi-wheel\">StepSecurity<\/a><\/li>\n<li><a href=\"https:\/\/snyk.io\/blog\/poisoned-security-scanner-backdooring-litellm\/\">Synk<\/a><\/li>\n<li><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/inside-litellm-supply-chain-compromise.html\">Trend Micro<\/a><\/li>\n<li><a href=\"https:\/\/www.truesec.com\/hub\/blog\/malicious-pypi-package-litellm-supply-chain-compromise\">TRUESEC<\/a><\/li>\n<li><a href=\"https:\/\/www.wiz.io\/blog\/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign\">Wiz<\/a><\/li>\n<\/ul>\n<p>TeamPCP&#8217;s supply chain compromise rampage may have come to an end, but the group has since shifted its focus towards monetizing existing credential harvests by teaming up with other financially motivated groups like Vect, LAPSUS$, and ShinyHunters. Evidence indicates that the threat actor has also launched a proprietary ransomware operation under the name CipherForce.<\/p>\n<p>These&nbsp;efforts have been complemented by TeamPCP&#8217;s use of the stolen data to access cloud and software-as-a-service (SaaS) environments, marking&nbsp;a new-found escalation of the campaign. To&nbsp;that end, the cybercrime gang has been found to verify stolen credentials using TruffleHog, launch discovery operations within 24 hours of validation, exfiltrate more data, and attempt lateral movement to gain access to the broader&nbsp;network.<\/p>\n<p>&#8220;The credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data,&#8221; Wiz researchers <a href=\"https:\/\/www.wiz.io\/blog\/tracking-teampcp-investigating-post-compromise-attacks-seen-in-the-wild\">said<\/a>. &#8220;While the speed at which they were used suggests that it was the work of the same threat actors responsible for the supply chain operations, we are not able to rule out the secrets being shared with other groups and used by&nbsp;them.&#8221;<\/p>\n<h3>Attacks Ripple Through Dependencies<\/h3>\n<p>Google&nbsp;has <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/north-korea-threat-actor-targets-axios-npm-package\">warned<\/a> that &#8220;hundreds of thousands of stolen secrets&#8221; could potentially be circulating as a result of the Axios and Trivy attacks, fueling more software supply chain attacks, SaaS environment compromises, ransomware and extortion events, and cryptocurrency theft over the near&nbsp;term.<\/p>\n<p>Two organizations that have confirmed compromise through the Trivy supply chain attack are artificial intelligence (AI) data training&nbsp;startup <a href=\"https:\/\/x.com\/mercor_ai\/status\/2039101905675403306\">Mercor<\/a> and&nbsp;the <a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_26_748\">European Commission<\/a>. While&nbsp;the company has not shared details on the impact, the LAPSUS$ extortion group listed Mercor on its leak site, claiming to have exfiltrated about 4TB of data. The&nbsp;Mercor breach has led Meta to pause its work with the company, according to&nbsp;a <a href=\"https:\/\/www.wired.com\/story\/meta-pauses-work-with-mercor-after-data-breach-puts-ai-industry-secrets-at-risk\/\">report<\/a> from&nbsp;WIRED.<\/p>\n<p>Earlier this month,&nbsp;CERT-EU <a href=\"https:\/\/cert.europa.eu\/blog\/european-commission-cloud-breach-trivy-supply-chain\">revealed<\/a> that the threat actors used the stolen AWS secret to exfiltrate data from the Commission&#8217;s cloud environment. This&nbsp;included data relating to websites hosted for up to 71 clients of the Europa web hosting service and outbound email communications. The&nbsp;ShinyHunters group has since released the exfiltrated dataset publicly on its dark web leak&nbsp;site.<\/p>\n<p>GitGuardian&#8217;s <a href=\"https:\/\/blog.gitguardian.com\/team-pcp-snowball-analysis\/\">analysis<\/a> of the Trivy and LiteLLM supply chain attacks and their spread through dependencies and automation pipelines has found that 474 public repositories executed malicious code from the compromised &#8220;trivy-action&#8221; workflow, and 1,750 Python packages were configured in a way that would automatically pull the poisoned&nbsp;versions.<\/p>\n<p>&#8220;TeamPCP is deliberately targeting security tools that run with elevated privileges by design. Compromising them gives the attacker access to some of the most sensitive environments in the organization, because security tools are typically granted broad access by design,&#8221; Brett Leatherman, assistant director of Cyber Division at the U.S. Federal Bureau of Investigation&nbsp;(FBI), <a href=\"https:\/\/www.linkedin.com\/posts\/bleatherman_fbicyber-share-7442369430245826560-IA9x\/?rcm=ACoAAA98Bu8BVZIE7tjrbfEgLetF8Wf_4bWQNHc&amp;skipRedirect=true\">wrote<\/a> on&nbsp;LinkedIn.<\/p>\n<p>The supply chain incidents are dangerous because they take aim at the inherent trust developers assume when downloading packages and dependencies from open-source repositories. &#8220;Trust was assumed where it should have been verified,&#8221; Mark Lechner, chief information security officer at&nbsp;Docker, <a href=\"https:\/\/www.docker.com\/blog\/defending-your-software-supply-chain-what-every-engineering-team-should-do-now\/\">said<\/a>.<\/p>\n<p>&#8220;The organizations that came through these incidents with minimal damage had already begun replacing implicit trust with explicit verification at every layer of their stack: verified base images instead of community pulls, pinned references instead of mutable tags, scoped and short-lived credentials instead of long-lived tokens, and sandboxed execution environments instead of wide-open CI&nbsp;runners.&#8221;<\/p>\n<p>Both Docker and the Python Package Index (PyPI) maintainers&nbsp;have <a href=\"https:\/\/blog.pypi.org\/posts\/2026-04-02-incident-report-litellm-telnyx-supply-chain-attack\/\">outlined<\/a> a long list of recommendations that developers can implement to counter such attacks&nbsp;&#8211;<\/p>\n<ul>\n<li>Pin packages by digest or commit SHA instead of mutable tags.<\/li>\n<li>Use Docker Hardened Images (DHI).<\/li>\n<li>Enforce minimum release age settings to delay adoption of new versions for dependency updates.<\/li>\n<li>Treat every CI runner as a potential breach point and avoid pull_request_targe triggers in GitHub Actions unless absolutely necessary.<\/li>\n<li>Use short-lived, narrowly scoped credentials.<\/li>\n<li>Use an internal mirror or artifact proxy.<\/li>\n<li>Deploy canary tokens to get alerted to potential exfiltration attempts.<\/li>\n<li>Audit environment for hard-coded secrets.<\/li>\n<li>Run AI coding agents in sandboxed environments.<\/li>\n<li>Use trusted publishing to push packages to <a href=\"https:\/\/docs.npmjs.com\/trusted-publishers\">npm<\/a> and <a href=\"https:\/\/docs.pypi.org\/trusted-publishers\/\">PyPI<\/a>.<\/li>\n<li>Secure the open-source development pipeline with two-factor authentication (2FA).<\/li>\n<\/ul>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has&nbsp;also <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/03\/26\/cisa-adds-one-known-exploited-vulnerability-catalog\">added<\/a> CVE-2026-33634 to its Known Exploited Vulnerabilities&nbsp;(<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\">KEV<\/a>) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by April 9,&nbsp;2026.<\/p>\n<p>&#8220;The number of recent software supply chain attacks is overwhelming,&#8221; Charles Carmakal, chief technology officer of Mandiant Consulting at&nbsp;Google, <a href=\"https:\/\/www.linkedin.com\/posts\/charlescarmakal_cybersecurity-threatintel-supplychain-activity-7444746390288789504-rHpT\/?rcm=ACoAAAAHXmsBeL1ZrOKRT8g9rCLjiQfqDSJUjk4\">said<\/a>. &#8220;Defenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future&nbsp;attacks.&#8221;<\/p>\n<div><\/div>\n<div>Found this article interesting?  Follow us on <a href='https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ' rel='noopener' target='_blank'>Google News<\/a>, <a href='https:\/\/twitter.com\/thehackersnews' rel='noopener' target='_blank'>Twitter<\/a> and <a href='https:\/\/www.linkedin.com\/company\/thehackernews\/' rel='noopener' target='_blank'>LinkedIn<\/a> to read more exclusive content we post.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-45354","post","type-post","status-publish","format-standard","hentry","category-thehackernews"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45354","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45354"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45354\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}