OpenAI has revoked macOS certificates as a precautionary measure following the Axios supply chain attack. Axios is a popular third-party JavaScript library for making HTTP requests in Node.js applications.
The Axios supply chain compromise occurred on March 31, 2026, and affected two NPM packages with nearly 100 million weekly downloads. The threat actors injected them with malicious dependencies to download payloads from attacker-controlled command-and-control servers.
Microsoft Threat Intelligence has attributed the supply chain attack to North Korean hackers Sapphire Sleet or UNC1069. The group compromised the lead maintainer, Jason Saayman, via social engineering by faking a web conference call. They abused the access to install a remote access trojan (RAT) that also targeted Windows and Linux operating systems.
However, the malicious NPM packages were live for three hours before Axios discovered and removed them. Nevertheless, OpenAI downloaded and executed the malicious packages via an automated GitHub Workflow, which had access to its macOS signing certificate for ChatGPT Desktop, Codex, Codex CLI, and Atlas.
Axios supply chain attack affected only OpenAI desktop apps on macOS
Upon learning of the supply chain attack, OpenAI revoked and rotated its signing certificate to prevent threat actors from submitting fake apps impersonating the company. Subsequently, OpenAI requires users to update their macOS certificates.
However, the supply chain attack did not expose user data, leak intellectual property, or compromise OpenAI applications.
“We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered,” the company stated.
The supply chain attack also did not expose user passwords or OpenAI API keys. Additionally, only OpenAI desktop apps on macOS were affected. However, OpenAI apps on Android, Windows, iOS, Linux, and browsers were not affected.
The company also believes the signing certificate was not exfiltrated due to various mitigation factors, including the timing, job sequencing, and certificate injection.
Nevertheless, the company treated the signing certificate as compromised, revoked it, and forced users to update their macOS certificates as a precaution. It also uploaded new versions of all macOS desktop applications and prevented older software from being further notarized using the potentially compromised signing certificate.
“We knew that the Axios supply chain incident was going to be a problem that kept surfacing for a while,” said Denis Calderone, CTO, Suzu Labs. “Considering the blast radius with something like 100 million weekly downloads and an 80% presence across cloud environments, the effects were going to be broad no matter how you sliced it. What’s particularly interesting in today’s news is the fact that it hit an organization the size of OpenAI. A company with that level of resources and engineering talent still getting caught in a three-hour window tells you just how bad this thing really was.”
Update macOS certificates or lose access to OpenAI desktop apps
Mac users who fail to update their macOS certificates within 30 days would no longer receive updates, and the affected OpenAI desktop applications would stop functioning.
“Effective May 8, 2026, older versions of our macOS desktop apps will no longer receive updates or support, and may not be functional,” the company warned.
OpenAI says the delay would give users enough time to update their macOS certificates and desktop apps without interruption: “This window will help minimize user risk and allow impacted clients to update through built-in update mechanisms, ensuring they are appropriately remediated.”
OpenAI also warned that new downloads and first launches of software signed with revoked macOS certificates would automatically be blocked from execution. However, the already installed and executed OpenAI desktop products were not illegally modified and would remain functional.
“We have also reviewed all notarization of software using our previous certificate to confirm no unexpected software notarization occurred with these keys, and validated that our published software did not have unauthorized modifications,” the company said.
Additionally, OpenAI has not detected new software being illegally signed with the revoked code-signing certificate following the supply chain attack. The ChatGPT maker has also addressed the GitHub Workflow misconfiguration that enabled the automatic download and execution of the malicious NPM packages.
“Specifically, the action in question used a floating tag, as opposed to a specific commit hash, and did not have a configured minimumReleaseAge for new packages,” the company explained.
In light of the Axios supply chain attack, OpenAI also advised users against installing apps from ads, emails, suspicious links in messages, third-party software download sites, or file-sharing platforms.
“The real issue here is that we’re dealing with a trust model that was never designed for a world where nation-states are targeting it,” added Calderone. “If that certificate was compromised, a North Korean state actor now has the ability to sign malware that macOS treats as a legitimate OpenAI application. Gatekeeper lets it through. Users trust it. That’s not your run-of-the-mill credential theft, that’s more like identity theft at the software level.”

