OpenAI disclosed it was affected by the Axios NPM supply-chain attack in which compromised maintainer credentials were used to publish malicious packages that downloaded a cross-platform RAT. OpenAI halted affected notarizations and revoked and will rotate its macOS signing certificate as a precaution while investigators attribute the campaign to North Korean-linked UNC1069. #Axios #UNC1069
Keypoints
- Attackers compromised an Axios maintainerβs NPM account and published two malicious packages that deployed a cross-platform RAT.
- The malicious packages were live for only a few hours but were executed in numerous environments, with Huntress and Wiz reporting multiple compromises.
- OpenAIβs macOS app-signing GitHub Actions workflow downloaded Axios v1.14.1 and executed the payload, exposing certificate and notarization material used for signing apps like ChatGPT Desktop.
- OpenAI stopped new notarizations, revoked the affected certificate, and will rotate signing material to prevent unauthorized app launches after May 8, 2026.
- Security firms link the supply-chain campaign to UNC1069, a North Korean threat group known for cryptocurrency theft and monetization operations.
Read More: https://www.securityweek.com/openai-impacted-by-north-korea-linked-axios-supply-chain-hack/