13.04.2026
3 min
154
OpenAI has revoked the signing certificate for its macOS apps following a compromise incident involving a third-party Axios library. The company said it had not detected any data leaks or system breaches, but decided to act proactively to eliminate any risks.
An incident was identified by OpenAI in the app signing process of its macOS app. On March 31, a GitHub Actions workflow run by OpenAI automatically downloaded and executed a malicious version of Axios (library) on OpenAI’s behalf. The company stated that there was no exposure of user data, internal systems, nor software.
OpenAI stated that it is proactively securing its app signing process and eliminating any potential threats. Additionally, OpenAI said that it found no indication that any user data was accessed or manipulated.
The incident happened amid a broader supply chain attack. The Google Threat Intelligence Group states that the Axios npm package compromise was carried out by the North Korean threat actor UNC1069. They compromised the developer account and distributed malicious versions 1.14.1 and 0.30.4 of the library.
These versions included a malicious dependency named “plain-crypto-js” that deployed the WAVESHAPER.V2 backdoor. The backdoor allowed remote access to devices running Windows, macOS and Linux.
OpenAI clarified that the infected version of Axios was utilized within their CI/CD application signing process. This process had access to certificates and notarization documents necessary to sign ChatGPT Desktop, Codex, Codex CLI and Atlas. However, the internal investigation indicated that the certificate was probably not stolen. This is due to the timing of when the malicious code was executed, the nature of the task being performed and additional security measures implemented.
As a result, OpenAI did not want to assume any risks regarding the integrity of its apps and therefore removed the old certificate and replaced it with a new one. All macOS applications have been re-signed with the new certificate, and future versions of these apps will utilize the new certificate. Older versions of these apps will cease to function after May 8, 2026. Furthermore, any macOS system attempting to execute an application utilizing the old certificate will automatically be blocked. Therefore, even if an attacker attempted to utilize the old certificate to create an executable to install malware onto a system, they would need to manually intervene on the part of the end-user to allow installation.
Here are the current versions of OpenAI’s applications signed with the new certificate:
ChatGPT Desktop — 1.2026.071
Codex — 26.406.40811
Codex CLI — 0.119.0
Atlas — 1.2026.84.2
OpenAI is also working with Apple to prevent the use of the old certificate entirely and has provided users with a 30 day period to update to help minimize disruption.
According to OpenAI, if an actual compromise of the certificate occurs, attackers could potentially create their own programs, and masquerade them as legitimate by having them signed with their own program. Thus, they made the decision to remove both the capability and risk.
This incident represents just one example of a larger series of attacks on the open-source ecosystem that took place during the month of March. Another significant example involved the Trivy tool, whose compromise created a domino effect impacting multiple ecosystems simultaneously.
Researchers attribute the compromise of Trivy to TeamPCP. After compromising Trivy with SANDCLOCK malware to exfiltrate credentials, TeamPCP used those credentials to compromise npm packages and spread the CanisterWorm.
TeamPCP then proceeded to exploit those same compromised credentials to breach other projects; specifically, TeamPCP inserted malicious code into GitHub Actions workflows and delivered infected versions of LiteLLM and Telnyx via PyPI.
When TeamPCP breached Telnyx, they successfully triggered the execution of the msbuild.exe file, which extracted further code from a PNG image prior to downloading a fully-functional Trojan supporting AdaptixC2 communications.
This campaign was assigned the identifier CVE-2026-33634 and has drawn significant interest from various cybersecurity organizations, including Microsoft, CrowdStrike, Palo Alto Networks, etc.
After completing their active exploitation activities, researchers indicate that TeamPCP transitioned to monetize the stolen information. Researchers associate TeamPCP with other groups (e.g., LAPSUS$, ShinyHunters & Vect) as well as their involvement in launching their own ransomware operation CipherForce.
Google cautions that a successful attack may lead to widespread damage and include but are limited to: hundreds of thousands of secret exposures; compromise of SaaS services; extortion attempts; and theft of cryptocurrency.
Among those impacted by TeamPCP’s exploits are Mercor (a startup) and the European Commission. At least once TeamPCP used stolen AWS keys to gain access to hosting company data belonging to Europa.
Researchers report that hundreds of repositories were running malicious code, while tens of thousands of Python libraries were capable of automatically pulling in infected versions of dependencies.
Security experts agree that developers’ reliance on unverified dependencies is a primary vulnerability in such situations.
To avoid such incidents in the future experts recommend that developers employ strict checks of each component. A few simple ways to do so include:
Create fixed package versions via commit or digest
Utilize secure Docker images
Limit access privileges and set time limits for tokens
Isolate run times
Implement two factor authentication
CISA has already listed CVE-2026-33634 as an actively exploited vulnerability and has ordered all U.S. federal agencies to resolve the issue before April 9th.
