OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

OpenAI disclosed a supply chain compromise affecting its macOS application signing pipeline. A GitHub Actions workflow used to certify legitimate OpenAI apps was found to have downloaded a malicious version of the Axios library on March 31. The incident targeted the code-signing process, potentially enabling distribution of tampered macOS applications. OpenAI responded by revoking the compromised certificate and implementing additional safeguards for their app certification workflow. Importantly, no user data or internal systems were reported as compromised. Organizations using Axios in automated CI/CD pipelines should verify library integrity and implement checksum verification for dependencies.

OpenAI revealed a GitHub Actions workflow used to sign its macOS apps, which downloaded the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found

OpenAI disclosed a supply chain compromise affecting its macOS application signing pipeline. A GitHub Actions workflow used to certify legitimate OpenAI apps was found to have downloaded a malicious version of the Axios library on March 31. The incident targeted the code-signing process, potentially enabling distribution of tampered macOS applications. OpenAI responded by revoking the compromised certificate and implementing additional safeguards for their app certification workflow. Importantly, no user data or internal systems were reported as compromised. Organizations using Axios in automated CI/CD pipelines should verify library integrity and implement checksum verification for dependencies. OpenAI revealed a GitHub Actions workflow used to sign its macOS apps, which downloaded the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found OpenAI revealed a GitHub Actions workflow used to sign its macOS apps, which downloaded the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found