Skip to content
.ca
sign in
4 minhigh

Axios Supply Chain Attack Reaches OpenAI macOS Signing Pipeline, Forces Certificate Rotation

A supply chain attack involving a compromised version of the Axios library (1.14.1) impacted OpenAI's macOS app signing workflow. The malicious package was executed in a GitHub Actions CI pipeline with access to sensitive code signing certificates, prompting OpenAI to revoke the certificates, rebuild applications, and force user updates, though no downstream compromise or data exfiltration was observed.

Sens:ImmediateConf:highAnalyzed:2026-04-13reports
ActorsNorth Korean actors
AxiosSupply Chain AttackCode SigningOpenAICI/CD

Source:Socket

Key Takeaways

  • A compromised version of the Axios library (1.14.1) was executed inside OpenAI's macOS app signing workflow via GitHub Actions.
  • The malicious workflow had access to sensitive macOS code signing certificates used for ChatGPT Desktop, Codex, and Atlas.
  • OpenAI revoked and rotated its macOS code signing certificates and is forcing users to update desktop applications before May 8, 2026.
  • The root cause was a CI pipeline misconfiguration that automatically pulled the latest dependency version at runtime.
  • The broader supply chain campaign targeting Node.js maintainers has been attributed to North Korean threat actors.

Affected Systems

  • macOS applications (ChatGPT Desktop, Codex, Atlas)
  • GitHub Actions CI/CD pipelines
  • Node.js environments utilizing Axios version 1.14.1

Attack Chain

North Korean threat actors compromised the Axios library via a social engineering campaign targeting Node.js maintainers. OpenAI's GitHub Actions CI pipeline, misconfigured to pull the latest dependencies at runtime, downloaded and executed the malicious Axios version 1.14.1. The execution occurred in a workflow with access to sensitive macOS code signing certificates. Although exfiltration was likely prevented, the exposure forced a complete revocation and rotation of the signing certificates to prevent malicious software from being distributed under OpenAI's identity.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Low — The execution occurred within ephemeral GitHub Actions CI/CD runners, which often lack standard EDR coverage compared to traditional endpoints. Network Visibility: Medium — Network monitoring could detect anomalous outbound connections from CI/CD runners attempting to exfiltrate signing certificates or communicate with actor-controlled infrastructure. Detection Difficulty: Hard — Detecting malicious code execution within a legitimate dependency update in an automated CI pipeline is notoriously difficult without strict dependency pinning and integrity checking.

Required Log Sources

  • CI/CD Pipeline Logs (GitHub Actions)
  • Package Manager Logs (npm)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Search for CI/CD pipeline executions that dynamically pull Axios version 1.14.1 without version pinning.CI/CD build logs, package manager execution logsExecutionLow
Identify unexpected outbound network connections originating from build runners during the dependency installation phase.Network flow logs, CI/CD runner network telemetryExfiltrationMedium

Control Gaps

  • Lack of dependency version pinning
  • Over-privileged CI/CD workflows exposing signing certificates to dependency resolution steps

Key Behavioral Indicators

  • Unexpected outbound network connections from build runners
  • Access to signing certificates by unauthorized or unexpected processes within the build environment

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit CI/CD pipelines for the use of Axios 1.14.1 and remove or downgrade the package immediately.
  • Revoke and rotate any secrets, API keys, or certificates exposed to pipelines that executed the compromised package.

Infrastructure Hardening

  • Implement strict dependency pinning and lockfiles to prevent automatic pulling of new package versions at runtime.
  • Apply the principle of least privilege to CI/CD workflows, isolating signing materials and credentials from general build and dependency resolution steps.

User Protection

  • Update OpenAI macOS applications (ChatGPT Desktop, Codex, Atlas) to the latest versions before the May 8, 2026 cutoff date.

Security Awareness

  • Educate development teams on the risks of dynamic dependency resolution and the importance of software supply chain security.

MITRE ATT&CK Mapping

  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1552.004 - Unsecured Credentials: Private Keys

Additional IOCs

  • Other:
    • Axios 1.14.1 - Malicious npm package version

Related