The Axios npm supply chain attack has been linked to North Korea’s Lazarus Group, forcing OpenAI to take extensive remedial action following the incident reported on April 1, 2026.
This incident signifies a growing threat from third-party software vulnerabilities as OpenAI disclosed exposure to the attack while confirming the security of its user data and internal systems. Google Threat Intelligence Group attributed the attack to UNC1069, a financially motivated group known to be active since at least 2018.
OpenAI stated, “We recently identified a security issue involving a third-party developer tool, Axios, that was part of a widely reported, broader industry incident.” They added that no evidence indicated that user data had been accessed or internal systems compromised.
The exposure occurred on March 31, 2026, when a GitHub Actions workflow executed a compromised version of Axios (v1.14.1), which had access to sensitive code-signing certificates for OpenAI applications, including ChatGPT Desktop and Codex.
In response, OpenAI initiated a full rotation of its macOS code-signing certificates, treating them as potentially compromised despite internal analysis suggesting the certificates were likely not exfiltrated. Users are required to update their macOS applications, with support for older versions ending on May 8, 2026.
The updates will include new certificates to prevent the distribution of malicious software masquerading as legitimate OpenAI applications. This step is necessary to address the inherent risks of supply chain attacks.
OpenAI engaged a third-party digital forensics firm to investigate the incident and worked with Apple to block any new notarization attempts using the old certificate. The company has also published new builds of all affected applications and reviewed previous software notarizations for anomalies.
The exposure’s root cause stemmed from a misconfiguration in OpenAI’s GitHub Actions workflow, which utilized a floating tag instead of a fixed commit hash, thus increasing the risk of introducing compromised packages.
OpenAI has confirmed that no impact from the breach occurred on platforms such as iOS, Android, Windows, or Linux. They reiterated that no user data, API keys, or passwords were compromised, and no malicious software with OpenAI’s signature has been found.
The old certificate will be fully revoked on May 8, 2026, following a 30-day transition period to facilitate user adaptations. Any software signed with the old certificate will be blocked by macOS security protections post-revocation, minimizing the potential for misuse.
This attack reflects escalating risks associated with third-party software dependencies and underscores the critical need for stricter dependency management and secure development practices within organizations.
