OpenAI is revoking and rotating macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package (v1.14.1) in a supply chain attack. Although its investigation found no evidence of certificate misuse or user data exposure, OpenAI is treating the keys as potentially compromised and requires macOS users to update apps before May 8, 2026. #Axios #UNC1069
Keypoints
- A compromised Axios npm package (v1.14.1) executed in a GitHub Actions workflow and was used to deploy malware.
- The affected workflow had access to OpenAI macOS code-signing certificates for ChatGPT Desktop, Codex, Codex CLI, and Atlas.
- OpenAI found no evidence of data or system compromise but is revoking and rotating the certificate out of caution, with full revocation on May 8, 2026.
- macOS users must update to app versions signed with the new certificate or risk apps being blocked; iOS, Android, Windows, Linux, and web services are not affected.
- Researchers linked the Axios supply chain attack to North Korean threat actor UNC1069, which used social engineering to push malicious npm releases that install a cross-platform RAT.