Axios Breach Fallout: OpenAI's MacOS App Updates Explained

A major software supply chain attack has forced OpenAI to implement emergency security measures for its macOS applications, highlighting the escalating threat posed by nation-state actors targeting critical development infrastructure.

The incident centres on a sophisticated attack on Axios – a widely trusted open-source JavaScript library that processes over 100 million weekly downloads.

When North Korean state-sponsored threat actors successfully tampered with version 1.14.1 of this third-party dependency, they created a cascading security crisis that exposed organisations across the technology sector to data exfiltration and remote access threats.

Organisations that downloaded the weaponised package faced potential infection with a remote access trojan (RAT) capable of conducting reconnaissance, executing remote commands and exfiltrating sensitive data from compromised systems.

OpenAI has moved swiftly to contain potential damage from the breach. "Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," the company stated.

Although the company's investigation has "found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised or that our software was altered," security teams are implementing defensive measures to prevent potential credential misuse, according to OpenAI.

The company is mandating that all macOS users install updated versions of OpenAI applications including ChatGPT Desktop, Codex App, Codex CLI and Atlas.

This security update aims to eliminate attack vectors that malicious actors could exploit to distribute counterfeit applications that appear legitimate through compromised signing certificates.

Attack vector and threat actor attribution

According to the Google Threat Intelligence Group, the supply chain compromise occurred on 31 March 2026 when UNC1069  successfully inserted malicious code into Axios version 1.14.1.

UNC1069 is identified as a financially motivated North Korea-nexus threat actor that has maintained persistent operations since at least 2018.

The attack exploited a GitHub Actions workflow that OpenAI used in its macOS app-signing process.

This automated workflow unknowingly downloaded and executed the compromised version of Axios, potentially exposing sensitive certificate and notarisation materials used to verify the authenticity of OpenAI's macOS applications.

While the exposed credentials could have enabled threat actors to sign malicious software that would appear legitimate to macOS security systems, OpenAI's investigation suggests that timing factors and existing technical safeguards likely prevented successful data exfiltration.

"Nevertheless, out of an abundance of caution we are treating the certificate as compromised and are revoking and rotating it," OpenAI stated, ensuring all future application versions use updated signing credentials that threat actors cannot abuse.

The company has warned that from 8 May 2026, older versions of OpenAI macOS applications will lose support and may cease functioning entirely, forcing users onto secured versions.

Incident response and security hardening

OpenAI's remediation efforts demonstrate comprehensive incident response protocols.

The company engaged a third-party digital forensics and incident response firm to conduct thorough investigations, rotated its macOS code signing certificate and released newly signed versions of all potentially affected applications.

Security teams are collaborating with Apple to block any software signed with the previous certificate from receiving new notarisation, effectively preventing threat actors from exploiting the compromised credentials even if they were successfully exfiltrated.

A comprehensive review of historical notarisation activity has confirmed that no unauthorised software was signed using OpenAI credentials, suggesting the defensive measures prevented successful exploitation.

The root cause investigation identified critical misconfigurations in OpenAI's GitHub Actions workflow. The security vulnerability stemmed from using a floating tag rather than a fixed commit hash and failing to implement minimum release age requirements for package dependencies.

These configuration weaknesses have now been addressed to prevent similar attack vectors.

Broader supply chain threat landscape

Security researchers warn that the Axios compromise represents a broader trend of supply chain attacks targeting open-source ecosystems.

Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, emphasises the widespread security implications of the attack.

"The impact of this attack is broad and has significant ripple effects, as countless other popular packages rely on Axios as a dependency," he says.

"UNC1069 isn't the only threat actor that has launched successful open-source supply chain attacks in recent weeks," he adds.

"Other groups, such as TeamPCP (UNC6780), have recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations."

These concurrent campaigns demonstrate that multiple advanced persistent threat groups are actively exploiting trust relationships within software development supply chains, requiring organisations to implement robust dependency verification and continuous security monitoring across their development infrastructure.