LIVE THREATS
HIGH On Anthropic’s Mythos Preview and Project Glasswing // MEDIUM Artemis Emerges From Stealth With $70 Million in Funding // HIGH OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident // HIGH Old Vulnerabilities get a new life, all thanks to AI! // CRITICAL Cursor AI Vulnerability Exposed Developer Devices // HIGH Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments // MEDIUM OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal // MEDIUM Human Trust of AI Agents // MEDIUM Frontier AI for Defenders: CrowdStrike and OpenAI TAC // MEDIUM Deterministic + Agentic AI: The Architecture Exposure Validation Requires //
ATLAS OWASP HIGH Significant risk · Prioritise patching Supply Chain Industry News LLM Security RELEVANCE ▲ 7.2

OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

SOURCE The Hacker News ↗
TL;DR HIGH
  • What happened: North Korean actors compromised Axios npm library, exposing OpenAI's macOS app-signing certificates.
  • Who's at risk: ChatGPT Desktop, Codex, and Atlas users relying on OpenAI's macOS applications for daily workflows.
  • Act now: Update all OpenAI macOS apps to versions signed with new certificates by May 8, 2026. · Audit GitHub Actions workflows for npm dependency pinning and verification controls. · Monitor for WAVESHAPER.V2 backdoor indicators on macOS, Windows, and Linux systems.
0x4F0x3A0xFF0x0D0x7B0xC20xA10x550x0D0x7B0xC20xA10x550xE80x120x9F0xA10x550xE80x120x9F0xD40x2E0x880x120x9F0xD40x2E0x880x610xB30x4F0x2E0x880x610xB30x4F0x3A0xFF0x0D0xB30x4F0x3A0xFF0x0D0x7B0xC20xA10xFF0x0D0x7B0xC20xA10x550xE80x12SUPPLY CHAINThe Hacker NewsHIGHOpenAI Revokes macOS App Certificate AfterMalicious Axios Supply Chain Incident

Overview

On March 31, 2026, OpenAI’s macOS app-signing pipeline unknowingly downloaded and executed a trojanised version of the Axios npm library (v1.14.1) as part of a GitHub Actions workflow. The malicious package was part of a broader supply chain compromise attributed by Google’s Threat Intelligence Group (GTIG) to UNC1069, a North Korean threat actor. While OpenAI assessed that no user data, internal systems, or intellectual property were compromised, the incident exposed signing certificates covering four flagship products — ChatGPT Desktop, Codex, Codex CLI, and Atlas — prompting full certificate revocation and mandatory user upgrades.

Technical Analysis

UNC1069 hijacked the npm account of the legitimate Axios package maintainer and published two poisoned versions: 1.14.1 and 0.30.4. Both versions embedded a malicious dependency named plain-crypto-js, which served as a loader for a cross-platform backdoor dubbed WAVESHAPER.V2, capable of infecting Windows, macOS, and Linux systems.

OpenAI’s GitHub Actions workflow, responsible for signing macOS application binaries, resolved and executed Axios v1.14.1 during its dependency installation phase. This workflow held privileged access to:

  • Code-signing certificates for ChatGPT Desktop, Codex, Codex CLI, and Atlas
  • Apple notarization credentials

OpenAI’s post-incident analysis concluded that the certificate was likely not exfiltrated, citing timing of payload execution, the sequencing of certificate injection into the job, and other mitigating environmental factors. Nonetheless, OpenAI elected to treat the certificate as compromised, applying the principle of conservative incident response.

If the certificate had been successfully stolen, an adversary could sign arbitrary binaries to make them appear as legitimate OpenAI software — a highly credible vector for targeted malware distribution against OpenAI’s user base.

Framework Mapping

MITRE ATLAS:

  • AML.T0010 – ML Supply Chain Compromise: The attack directly targeted the build and signing pipeline of AI-enabled products, consistent with supply chain compromise of ML-adjacent infrastructure.
  • AML.T0047 – ML-Enabled Product or Service: The affected artifacts (ChatGPT Desktop, Codex) are AI-enabled products whose delivery integrity was threatened.

OWASP LLM Top 10:

  • LLM05 – Supply Chain Vulnerabilities: The incident is a textbook case of a third-party dependency compromise affecting the delivery chain of LLM-powered applications.

Impact Assessment

  • OpenAI users running macOS desktop apps signed with the compromised certificate must update before May 8, 2026, or face blocked launches due to macOS Gatekeeper enforcement.
  • Minimum affected versions requiring update: ChatGPT Desktop < 1.2026.071, Codex App < 26.406.40811, Codex CLI < 0.119.0, Atlas < 1.2026.84.2.
  • Broader ecosystem risk: Any organisation relying on Axios in CI/CD pipelines during the affected window may have been exposed to WAVESHAPER.V2.

Mitigation & Recommendations

  1. Update immediately to the latest OpenAI macOS app versions listed above before the May 8, 2026 deadline.
  2. Audit CI/CD pipelines for dependency pinning — use lockfiles (package-lock.json) and integrity hashes (SRI/npm integrity fields) to prevent silent version upgrades.
  3. Implement SLSA or Sigstore provenance verification for build-time dependencies in GitHub Actions workflows.
  4. Restrict workflow permissions — signing credentials should be injected only at the final signing step and never exposed to dependency installation phases.
  5. Monitor npm package integrity using tools such as Socket.dev, Snyk, or GitHub’s dependency review action.
  6. Treat signing certificates as secrets with short TTLs and automated rotation policies.

References