OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

OpenAI disclosed a supply chain security incident where a malicious Axios library was downloaded through a compromised GitHub Actions workflow on March 31, affecting the signing process for macOS applications. Out of caution, OpenAI revoked its macOS app certificate to protect the application certification process. The company confirmed no user data or internal systems were compromised. This incident underscores persistent supply chain risks in software development pipelines, particularly from compromised or malicious third-party dependencies. OpenAI is implementing enhanced protections for their code signing workflow.

OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found no

OpenAI disclosed a supply chain security incident where a malicious Axios library was downloaded through a compromised GitHub Actions workflow on March 31, affecting the signing process for macOS applications. Out of caution, OpenAI revoked its macOS app certificate to protect the application certification process. The company confirmed no user data or internal systems were compromised. This incident underscores persistent supply chain risks in software development pipelines, particularly from compromised or malicious third-party dependencies. OpenAI is implementing enhanced protections for their code signing workflow. OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found no OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," OpenAI said in a post last week. "We found no