OpenAI says malicious Axios attack hit Mac app-signing process

A compromised developer library can matter even when a company’s own code stays intact: the danger is that outside software slips into a trusted build path and reaches signing credentials. OpenAI said that is what happened in its macOS app-signing process, but it found no evidence that user data was accessed, its systems were compromised or its software was altered.

The company said a GitHub Actions workflow used in that process downloaded and executed a malicious version of Axios, version 1.14.1, on March 31, 2026 UTC. That workflow had access to certificate and notarization material used to sign macOS applications including ChatGPT Desktop, Codex, Codex CLI and Atlas. OpenAI said its analysis suggested the signing certificate was likely not successfully exfiltrated because of the timing of payload execution and other mitigating factors, but it treated the certificate as compromised anyway and began revoking and rotating it.

OpenAI said older macOS desktop app versions will stop receiving updates and support on May 8, 2026, and may no longer function. The earliest releases signed with the updated certificate are ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex CLI 0.119.0 and Atlas 1.2026.84.2. OpenAI said it had engaged a third-party digital forensics and incident response firm, published new builds and is working with Apple so software signed with the previous certificate cannot be newly notarized.

The episode sits inside a broader software supply chain attack, a reminder that major AI companies can be exposed through outside dependencies even when their internal controls hold. Microsoft Threat Intelligence attributed the Axios compromise to Sapphire Sleet, a North Korean state actor, and said the malicious Axios package versions were 1.14.1 and 0.30.4. Microsoft said Axios has more than 70 million weekly downloads, a scale that can turn one tainted package into a fast-moving risk across many downstream systems. Microsoft also said the second-stage payload could target macOS, Windows and Linux, and urged users who installed the malicious versions to rotate secrets and credentials immediately and downgrade to safe versions.

The stakes are high because OpenAI’s products are embedded in consumer and enterprise workflows, and trust in app authenticity is part of the business model. OpenAI says it maintains security compliance and accreditation for key services, including SOC 2 Type 2, ISO/IEC 27001:2022, ISO/IEC 27701:2019, ISO/IEC 42001:2023 and PCI-DSS for relevant components. The company also disclosed a separate Mixpanel incident in November 2025 involving limited analytics data from some API users and a limited number of ChatGPT users, but said no chat content, credentials, API keys or payment details were exposed. In this case, OpenAI is betting that a fast certificate rotation, new builds and a clean audit trail will preserve confidence before a supply chain scare becomes something larger.