OpenAI disclosed a GitHub Actions workflow used to sign a macOS app that downloaded the malicious Axios library on March 31, but noted that no user data or internal systems were compromised.
“Out of an abundance of caution, we are taking steps to protect the process by which our macOS applications certify that they are genuine OpenAI apps,” OpenAI said in a post last week. “We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was modified.”
This disclosure comes a little more than a week after the Google Threat Intelligence Group (GTIG) confirmed that a supply chain breach of the popular npm package was the work of a North Korean hacker group it tracks as UNC1069.
The attack allowed the attackers to hijack the package maintainer’s npm account and push two poisoned versions 1.14.1 and 0.30.4 with a malicious dependency named “plain-crypto-js” and deployed a cross-platform backdoor called WAVESHAPER.V2 to infect Windows, macOS, and Linux systems.
The artificial intelligence (AI) company said the GitHub Actions workflow it uses as part of its macOS app signing process downloaded and ran Axios version 1.14.1. It added that this workflow provides access to certificates and notarization materials used for signing ChatGPT Desktop, Codex, Codex CLI, and Atlas.
“After analyzing the incident, we concluded that the signing certificate present in this workflow was likely not successfully extracted by the malicious payload due to the timing of the payload execution, the insertion of the certificate in the job, the sequence of the job itself, and other mitigating factors,” the company said.
OpenAI said it is treating its certificates as compromised, revoking them and rotating them, even though it has found no evidence of a data breach. As a result, starting May 8, 2026, older versions of all macOS desktop apps will no longer receive updates or support.
This also means that apps signed with the previous certificate will be blocked by macOS security protections by default and won’t be able to be downloaded or launched. The first release signed with the updated certificate is below.
ChatGPT Desktop – 1.2026.071 Codex App – 26.406.40811 Codex CLI – 0.119.0 Atlas – 1.2026.84.2
As part of our remediation efforts, OpenAI is working with Apple to ensure that software signed with previous certificates cannot be newly notarized. We noted that the 30-day period ending on May 8, 2026 is a way to minimize disruption for users and give them enough time to ensure they update to the latest version.
“If a certificate is compromised by a malicious attacker, they could use it to sign their own code and make it appear to be legitimate OpenAI software,” OpenAI said. “We stopped notarizing new software using old certificates, so new software signed with old certificates by unauthorized third parties will be blocked by macOS security protections by default unless users explicitly bypass them.”
Two supply chain attacks rock march
The breach of Axios, one of the most widely used HTTP client libraries, was one of two major supply chain attacks targeting the open source ecosystem in March. Another incident targeted Trivy, a vulnerability scanner managed by Aqua Security, resulting in cascading effects across five ecosystems and impacting many other popular libraries that depend on it.
The attack was the work of a cybercriminal group called TeamPCP (also known as UNC6780), which deployed a credential stealer called SANDCLOCK that facilitated the extraction of sensitive data from development environments. The attackers then used the stolen credentials to compromise the npm package and push a self-propagating worm named CanisterWorm.
A few days later, the team used the secrets stolen from the Trivy breach to inject the same malware into two GitHub Actions workflows managed by Checkmarx. The attackers then followed this up by publishing malicious versions of LiteLLM and Telnyx on the Python Package Index (PyPI). Both use Trivy in their CI/CD pipelines.
In its analysis of the attack, Trend Micro said, “The Telnyx breach demonstrates continued changes in the technology used in TeamPCP’s supply chain activities, including adjustments to tools, delivery methods, and platform coverage.”
“In just eight days, this attacker has expanded across security scanners, AI infrastructure, and now communications tools, evolved its delivery from inline Base64 to .pth auto-execution, and finally split-file WAV steganography, and expanded its targets from Linux-only to dual-platform with Windows persistence.”
On Windows systems, a hack of the Telnyx Python SDK deployed an executable named ‘msbuild.exe’. The executable uses several obfuscation techniques to evade detection and extracts a shellcode loader, DonutLoader, from a PNG image present within the binary to load a full-featured Trojan and beacons associated with AdaptixC2, an open-source command and control (C2) framework.
Additional analysis of this campaign, currently identified as CVE-2026-33634, has been published by various cybersecurity vendors.
TeamPCP’s supply chain breach epidemic may have come to an end, but the group has since shifted its focus to monetizing existing credentials by partnering with other financially motivated groups such as Vect, LAPSUS$, and ShinyHunters. Evidence indicates that the threat actor has also launched its own ransomware campaign under the name CipherForce.
These efforts are complemented by TeamPCP using stolen data to access cloud and software-as-a-service (SaaS) environments, marking a new expansion of the campaign. To that end, cybercriminal organizations were found to use TruffleHog to verify stolen credentials, launch discovery operations within 24 hours of verification, and attempt lateral movement to extract more data and gain access to broader networks.
“Credentials and sensitive information stolen in the supply chain breach were quickly verified and used to probe the victim’s environment and extract additional data,” Wiz researchers said. “While the speed with which they were used suggests that it was the work of the same attackers responsible for operating the supply chain, we cannot rule out the possibility that the secrets were shared with and used by other groups.”
Attack Spreading Through Dependencies
Google warned that “hundreds of thousands of pieces of stolen sensitive information” could be in circulation as a result of the Axios and Trivy attacks, potentially facilitating further software supply chain attacks, SaaS compromises, ransomware and extortion events, and cryptocurrency theft in the near term.
Two organizations that have confirmed breaches from the Trivy supply chain attack are artificial intelligence (AI) data training startup Mercor and the European Commission. Although the company has not disclosed the details of the impact, the LAPSUS$ extortion group has listed Mercor on its leak site and claims to have leaked approximately 4TB of data. WIRED reports that Meta has suspended business with Mercor due to the breach.
Earlier this month, CERT-EU revealed that attackers used stolen AWS secrets to exfiltrate data from the Commission’s cloud environment. This includes data related to hosted websites and outbound email communications for up to 71 clients of Europa Web Hosting Services. The ShinyHunters group later published the leaked dataset on a dark web leak site.
GitGuardian’s analysis of the Trivy and LiteLLM supply chain attack and its spread through dependencies and automated pipelines found that 474 public repositories executed malicious code from compromised “trivy-action” workflows and 1,750 Python packages were configured in a way to automatically pull tainted versions.
“TeamPCP intentionally targets security tools that run with high privileges by design. Security tools typically have broad access by design, so compromising them gives attackers access to an organization’s most sensitive environments,” Brett Leatherman, deputy director of the FBI’s cyber division, wrote on LinkedIn.
Supply chain incidents are dangerous because they target the inherent trust that developers assume when downloading packages and dependencies from open source repositories. “The assumption was that trust was supposed to be tested,” said Mark Lechner, Docker’s chief information security officer.
“Organizations that survived these incidents with minimal damage began replacing implicit trust with explicit verification at every layer of the stack: verified base images instead of community pulls, pinned references instead of mutable tags, limited short-lived credentials instead of long-lived tokens, and sandboxed execution environments instead of widely open CI runners.”
Both Docker and the Python Package Index (PyPI) maintainers have outlined a long list of recommendations that developers can implement to counter such attacks.
Pin packages with digest or commit SHA instead of mutable tags. Use Docker Hardened Images (DHI). Enforce minimum release window settings to delay adoption of new versions for dependency updates. Treat all CI runners as potential points of compromise and avoid pull_request_targe triggers on GitHub Actions unless absolutely necessary. Use short-lived, narrow-scope credentials. Use internal mirrors or artifact proxies. Deploy canary tokens to receive alerts about potential leak attempts. Audit environment for hard-coded secrets. Run your AI coding agent in a sandbox environment. Push packages to npm and PyPI using trusted publishing. Secure your open source development pipeline with two-factor authentication (2FA).
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33634 to its Known Exploited Vulnerabilities (KEV) Catalog and requires Federal Civilian Executive Branch (FCEB) agencies to apply the required mitigations by April 9, 2026.
“The number of recent software supply chain attacks is overwhelming,” said Charles Karmakar, chief technology officer at Google’s Mandiant Consulting. “Defenders must pay close attention to these campaigns. Enterprises should launch dedicated projects to assess and remediate existing impacts and harden against future attacks.”
Source link
