OpenAI Rotates macOS Signing Certificates Following Global Axios Supply Chain Attack

OpenAI rotates macOS app certificates to protect users following a global supply chain attack on the Axios developer library. Update required by May 8, 2026.

By: AXL Media

Published: Apr 11, 2026, 7:06 AM EDT

Source: Information for this report was sourced from OpenAI and Microsoft Security

Strategic Response to Third-Party Vulnerabilities

OpenAI has initiated a comprehensive security overhaul of its macOS application infrastructure in response to a significant supply chain incident involving Axios, a widely utilized JavaScript library. On March 31, 2026, a GitHub Actions workflow used in the OpenAI app-signing process inadvertently downloaded and executed a malicious version of the tool, specifically Axios version 1.14.1. This automated environment possessed access to sensitive notarization materials and certificates used to verify the legitimacy of OpenAI’s software. Although the company’s internal forensics suggest that these certificates were not successfully exfiltrated by the malicious payload, OpenAI is treating the material as compromised out of an abundance of caution to maintain the integrity of its ecosystem.

Mechanism of the Axios Supply Chain Breach

The breach was part of a broader industry-wide incident where the Axios npm package was weaponized to deliver cross-platform remote access trojans (RATs). Security researchers have attributed the attack to the North Korean-linked threat group Sapphire Sleet, which hijacked the lead maintainer's account to inject a "phantom dependency" named plain-crypto-js. This malicious package executed silent background scripts upon installation, targeting macOS, Windows, and Linux environments. At OpenAI, the root cause was identified as a misconfiguration in its GitHub Actions workflow, which utilized a floating tag rather than a specific commit hash, allowing the automated system to pull the poisoned version of Axios as soon as it was published to the npm registry.

Mandatory Security Updates for macOS Users

To mitigate the risk of threat actors using potentially exposed signing material to create fraudulent "OpenAI" apps, the company is mandatorily rotating its digital certificates. This transition requires all macOS users to update their desktop applications to versions signed with the new credentials. Effective May 8, 2026, older iterations of the software will lose support and may cease to function as the previous certificate is fully revoked. This 30-day window is designed to minimize operational disruption while ensuring that users are migrated to a secure environment. Once revocation is complete, macOS’s built-in Gatekeeper security will automatically block any newly downloaded software...