OpenAI Discloses Supply Chain Attack Linked to North Korean Hackers
OpenAI revealed that a GitHub Actions workflow used to sign its macOS applications inadvertently downloaded a malicious version of the Axios npm library on March 31, though the company confirmed no user data or internal systems were compromised. The incident stemmed from a supply chain attack attributed to UNC1069, a North Korean hacking group tracked by Google’s Threat Intelligence Group (GTIG).
The threat actors hijacked the Axios maintainer’s npm account to push two poisoned versions (1.14.1 and 0.30.4), embedding a malicious dependency called plain-crypto-js. This deployed WAVESHAPER.V2, a cross-platform backdoor targeting Windows, macOS, and Linux. OpenAI’s macOS app-signing workflow executed Axios 1.14.1, which had access to a signing certificate and notarization material for ChatGPT Desktop, Codex, Codex CLI, and Atlas.
While OpenAI found no evidence of certificate exfiltration, it is treating the certificate as compromised and revoking it by May 8, 2026. Older macOS app versions signed with the old certificate will no longer receive updates and will be blocked by macOS security protections. OpenAI is working with Apple to prevent further notarization of software signed with the compromised certificate.
Broader Supply Chain Campaigns
The Axios breach was one of two major March supply chain attacks targeting open-source ecosystems. The second, attributed to TeamPCP (UNC6780), compromised Trivy, a vulnerability scanner by Aqua Security, leading to cascading impacts across five ecosystems. The group deployed SANDCLOCK, a credential stealer, and later used stolen secrets to push a self-propagating worm (CanisterWorm) via malicious npm packages.
TeamPCP later exploited Trivy’s compromise to inject malware into GitHub Actions workflows at Checkmarx, then published poisoned versions of LiteLLM and Telnyx on PyPI. The Telnyx Python SDK attack deployed DonutLoader, a shellcode loader hidden in a PNG image, which executed a trojan and AdaptixC2, an open-source command-and-control framework.
Impact and Response
Google warned that hundreds of thousands of stolen secrets from these attacks could fuel further breaches, including ransomware, SaaS compromises, and cryptocurrency theft. Confirmed victims include Mercor, an AI training startup (breached via Trivy, with 4TB of data allegedly stolen by LAPSUS$), and the European Commission, where attackers exfiltrated AWS-hosted data from 71 Europa web hosting clients.
GitGuardian’s analysis found 474 public repositories executed malicious code from the compromised trivy-action workflow, while 1,750 Python packages were configured to auto-pull poisoned versions. The FBI noted that TeamPCP’s targeting of security tools which often run with elevated privileges grants attackers deep access to sensitive environments.
Mitigation Efforts
OpenAI, Docker, PyPI, and CISA have outlined countermeasures, including:
- Pinning packages by digest (not mutable tags).
- Using hardened Docker images and enforcing minimum release age delays.
- Short-lived, scoped credentials and sandboxed CI runners.
- Trusted publishing for npm/PyPI packages and 2FA enforcement.
- CISA’s directive to federal agencies to mitigate CVE-2026-33634 by April 9, 2026.
The incidents underscore the risks of implicit trust in open-source dependencies, prompting calls for explicit verification at every layer of the software supply chain.
Source: https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
European Union Agency for Cybersecurity (ENISA) cybersecurity rating report: https://www.rankiteo.com/company/european-union-agency-for-cybersecurity-enisa
"id": "OPEEUR1776099017",
"linkid": "openai, european-union-agency-for-cybersecurity-enisa",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Artificial Intelligence',
'location': 'United States',
'name': 'OpenAI',
'type': 'Technology Company'},
{'industry': 'AI Training',
'name': 'Mercor',
'type': 'Startup'},
{'customers_affected': '71 Europa web hosting clients',
'industry': 'Public Sector',
'location': 'Europe',
'name': 'European Commission',
'type': 'Government'}],
'attack_vector': 'Malicious npm package (Axios)',
'customer_advisories': 'Older macOS app versions signed with the compromised '
'certificate will no longer receive updates and will '
'be blocked by macOS security protections.',
'data_breach': {'data_exfiltration': 'No evidence of certificate exfiltration',
'sensitivity_of_data': 'High (signing certificate)',
'type_of_data_compromised': 'Signing certificate and '
'notarization material'},
'date_detected': '2026-03-31',
'description': 'OpenAI disclosed a supply chain attack where a GitHub Actions '
'workflow used to sign its macOS applications inadvertently '
'downloaded a malicious version of the Axios npm library. The '
'attack was attributed to UNC1069, a North Korean hacking '
'group. No user data or internal systems were compromised, but '
'the signing certificate was treated as compromised and '
'revoked.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'compromised signing certificate',
'data_compromised': 'No user data compromised, but signing '
'certificate and notarization material were '
'exposed',
'operational_impact': 'Older macOS app versions signed with the '
'compromised certificate will no longer '
'receive updates and will be blocked by '
'macOS security protections',
'systems_affected': ['macOS app-signing workflow',
'ChatGPT Desktop',
'Codex',
'Codex CLI',
'Atlas']},
'initial_access_broker': {'backdoors_established': ['WAVESHAPER.V2 '
'(cross-platform '
'backdoor)',
'SANDCLOCK (credential '
'stealer)',
'CanisterWorm '
'(self-propagating worm)',
'DonutLoader (shellcode '
'loader)'],
'data_sold_on_dark_web': 'Hundreds of thousands of '
'stolen secrets',
'entry_point': 'Compromised npm maintainer account '
'(Axios)',
'high_value_targets': ['Security tools (e.g., '
'Trivy)',
'CI/CD pipelines (GitHub '
'Actions)']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incidents underscore the risks of implicit trust in '
'open-source dependencies and the need for explicit '
'verification at every layer of the software supply chain.',
'motivation': ['Cyber Espionage', 'Data Theft', 'Supply Chain Compromise'],
'post_incident_analysis': {'corrective_actions': ['Revoking compromised '
'certificates',
'Enforcing trusted '
'publishing',
'Enhancing CI/CD security'],
'root_causes': ['Compromised open-source '
'maintainer accounts',
'Implicit trust in dependencies',
'Lack of package verification']},
'recommendations': ['Pin packages by digest (not mutable tags)',
'Use hardened Docker images and enforce minimum release '
'age delays',
'Short-lived, scoped credentials and sandboxed CI runners',
'Trusted publishing for npm/PyPI packages and 2FA '
'enforcement'],
'references': [{'source': 'OpenAI Disclosure'},
{'source': 'Google’s Threat Intelligence Group (GTIG)'},
{'source': 'GitGuardian Analysis'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA directive to '
'federal agencies to '
'mitigate '
'CVE-2026-33634 by '
'April 9, 2026']},
'response': {'containment_measures': ['Revoking compromised signing '
'certificate by May 8, 2026',
'Blocking older macOS app versions '
'signed with the old certificate'],
'remediation_measures': ['Working with Apple to prevent further '
'notarization of software signed with '
'the compromised certificate',
'Pinning packages by digest',
'Using hardened Docker images',
'Enforcing minimum release age delays'],
'third_party_assistance': 'Google’s Threat Intelligence Group '
'(GTIG), Apple, CISA'},
'threat_actor': ['UNC1069', 'TeamPCP (UNC6780)'],
'title': 'OpenAI Supply Chain Attack Linked to North Korean Hackers',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Compromised npm maintainer account'}