OpenAI revealed a GitHub Actions workflow used to signal its macOS apps, which downloaded the malicious Axios library on March 31, however famous that no person knowledge or inside system was compromised.
“Out of an abundance of warning, we’re taking steps to guard the method that certifies our macOS purposes are reliable OpenAI apps,” OpenAI mentioned in a publish final week. “We discovered no proof that OpenAI person knowledge was accessed, that our techniques or mental property have been compromised, or that our software program was altered.”
The disclosure comes a bit of over every week after Google Menace Intelligence Group (GTIG) attributed the provision chain compromise of the favored npm package deal to a North Korean hacking group it tracks as UNC1069.
The assault enabled the menace actors to hijack the package deal maintainer’s npm account to push two poisoned variations 1.14.1 and 0.30.4 that got here embedded with a malicious dependency named “plain-crypto-js,” which deployed a cross-platform backdoor known as WAVESHAPER.V2 to contaminate Home windows, macOS, and Linux techniques.
The synthetic intelligence (AI) firm mentioned a GitHub Actions workflow it makes use of as a part of its macOS app-signing course of downloaded and executed Axios model 1.14.1. The workflow, it added, had entry to a certificates and notarization materials used for signing ChatGPT Desktop, Codex, Codex CLI, and Atlas.
“Our evaluation of the incident concluded that the signing certificates current on this workflow was possible not efficiently exfiltrated by the malicious payload because of the timing of the payload execution, certificates injection into the job, sequencing of the job itself, and different mitigating elements,” the corporate mentioned.
Regardless of discovering no proof of knowledge exfiltration, OpenAI mentioned it is treating the certificates as compromised and that it is revoking and rotating it. As a consequence, older variations of all its macOS desktop apps will not obtain updates or help beginning Could 8, 2026.
This additionally implies that apps signed with the earlier certificates will probably be blocked by macOS security protections by default, stopping them from being downloaded or launched. The earliest releases signed with their up to date certificates are listed beneath –
- ChatGPT Desktop – 1.2026.071
- Codex App – 26.406.40811
- Codex CLI – 0.119.0
- Atlas – 1.2026.84.2
As a part of its remediation efforts, OpenAI can also be working with Apple to make sure software program signed with the earlier certificates can’t be newly notarized. The 30-day window until Could 8, 2026, is a strategy to reduce person disruption and provides them sufficient time to ensure they’re up to date to the newest model, it pointed out.
“Within the occasion that the certificates was efficiently compromised by a malicious actor, they may use it to signal their very own code, making it seem as reliable OpenAI software program,” OpenAI mentioned. “Now we have stopped new software program notarizations utilizing the previous certificates, so new software program signed with the previous certificates by an unauthorized third-party could be blocked by default by macOS security protections until a person explicitly bypasses them.”
Two Provide Chain Attacks Rock March
The breach of Axios, one of the crucial extensively used HTTP shopper libraries, was one of many two main provide chain assaults that passed off in March aimed on the open-source ecosystem. The opposite incident focused Trivy, a vulnerability scanner maintained by Aqua Safety, ensuing in cascading impacts throughout 5 ecosystems, affecting various different standard libraries relying on it.
The assault, the work of a cybercriminal group known as TeamPCP (aka UNC6780), deployed a credential stealer dubbed SANDCLOCK that facilitated the extraction of delicate knowledge from developer environments. Subsequently, the menace actors weaponized the stolen credentials to compromise npm packages and push a self-propagating worm named CanisterWorm.
Days later, the crew used secrets and techniques pilfered from the Trivy intrusion to inject the identical malware into two GitHub Actions workflows maintained by Checkmarx. The menace actors then adopted it up by publishing malicious variations of LiteLLM and Telnyx to the Python Bundle Index (PyPI), each of which use Trivy of their CI/CD pipeline.
“The Telnyx compromise signifies a continued change within the methods utilized in TeamPCP’s provide chain exercise, with changes to tooling, supply strategies, and platform protection,” Development Micro mentioned in an evaluation of the assault.
“In simply eight days, the actor has pivoted throughout security scanners, AI infrastructure, and now telecommunications tooling, evolving their supply from inline Base64 to .pth auto-execution, and finally to split-file WAV steganography, whereas additionally increasing from Linux-only to dual-platform concentrating on with Home windows persistence.”
On Home windows techniques, the hack of the Telnyx Python SDK resulted within the deployment of an executable named “msbuild.exe” that employs a number of obfuscation methods to evade detection and extracts DonutLoader, a shellcode loader, from a PNG picture current inside the binary to load a full-featured trojan and a beacon related with AdaptixC2, an open-source command-and-control (C2) framework.
Extra analyses of the marketing campaign, now recognized as CVE-2026-33634, have been printed by varied cybersecurity distributors –
TeamPCP’s provide chain compromise rampage could have come to an finish, however the group has since shifted its focus in the direction of monetizing current credential harvests by teaming up with different financially motivated teams like Vect, LAPSUS$, and ShinyHunters. Proof signifies that the menace actor has additionally launched a proprietary ransomware operation underneath the identify CipherForce.
These efforts have been complemented by TeamPCP’s use of the stolen knowledge to entry cloud and software-as-a-service (SaaS) environments, marking a new-found escalation of the marketing campaign. To that finish, the cybercrime gang has been discovered to confirm stolen credentials utilizing TruffleHog, launch discovery operations inside 24 hours of validation, exfiltrate extra knowledge, and try lateral motion to achieve entry to the broader community.
“The credentials and secrets and techniques stolen within the provide chain compromises have been shortly validated and used to discover sufferer environments and exfiltrate extra knowledge,” Wiz researchers mentioned. “Whereas the pace at which they have been used means that it was the work of the identical menace actors liable for the provision chain operations, we aren’t capable of rule out the secrets and techniques being shared with different teams and utilized by them.”
Attacks Ripple By means of Dependencies
Google has warned that “tons of of 1000’s of stolen secrets and techniques” may probably be circulating because of the Axios and Trivy assaults, fueling extra software program provide chain assaults, SaaS surroundings compromises, ransomware and extortion occasions, and cryptocurrency theft over the close to time period.
Two organizations which have confirmed compromise via the Trivy provide chain assault are synthetic intelligence (AI) knowledge coaching startup Mercor and the European Fee. Whereas the corporate has not shared particulars on the influence, the LAPSUS$ extortion group listed Mercor on its leak website, claiming to have exfiltrated about 4TB of knowledge. The Mercor breach has led Meta to pause its work with the corporate, in line with a report from WIRED.
Earlier this month, CERT-EU revealed that the menace actors used the stolen AWS secret to exfiltrate knowledge from the Fee’s cloud surroundings. This included knowledge regarding web sites hosted for as much as 71 purchasers of the Europa hosting service and outbound e mail communications. The ShinyHunters group has since launched the exfiltrated dataset publicly on its darkish internet leak website.
GitGuardian’s evaluation of the Trivy and LiteLLM provide chain assaults and their unfold via dependencies and automation pipelines has discovered that 474 public repositories executed malicious code from the compromised “trivy-action” workflow, and 1,750 Python packages have been configured in a means that might robotically pull the poisoned variations.
“TeamPCP is intentionally concentrating on security instruments that run with elevated privileges by design. Compromising them provides the attacker entry to a few of the most delicate environments within the group, as a result of security instruments are usually granted broad entry by design,” Brett Leatherman, assistant director of Cyber Division on the U.S. Federal Bureau of Investigation (FBI), wrote on LinkedIn.
The provision chain incidents are harmful as a result of they take purpose on the inherent belief builders assume when downloading packages and dependencies from open-source repositories. “Belief was assumed the place it ought to have been verified,” Mark Lechner, chief data security officer at Docker, mentioned.
“The organizations that got here via these incidents with minimal harm had already begun changing implicit belief with specific verification at each layer of their stack: verified base photos as a substitute of group pulls, pinned references as a substitute of mutable tags, scoped and short-lived credentials as a substitute of long-lived tokens, and sandboxed execution environments as a substitute of wide-open CI runners.”
Each Docker and the Python Bundle Index (PyPI) maintainers have outlined a protracted record of suggestions that builders can implement to counter such assaults –
- Pin packages by digest or commit SHA as a substitute of mutable tags.
- Use Docker Hardened Photos (DHI).
- Implement minimal launch age settings to delay adoption of latest variations for dependency updates.
- Deal with each CI runner as a possible breach level and keep away from pull_request_targe triggers in GitHub Actions until completely crucial.
- Use short-lived, narrowly scoped credentials.
- Use an inside mirror or artifact proxy.
- Deploy canary tokens to get alerted to potential exfiltration makes an attempt.
- Audit surroundings for hard-coded secrets and techniques.
- Run AI coding brokers in sandboxed environments.
- Use trusted publishing to push packages to npm and PyPI.
- Safe the open-source growth pipeline with two-factor authentication (2FA).
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has additionally added CVE-2026-33634 to its Recognized Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Govt Department (FCEB) companies apply the mandatory mitigations by April 9, 2026.
“The variety of latest software program provide chain assaults is overwhelming,” Charles Carmakal, chief know-how officer of Mandiant Consulting at Google, mentioned. “Defenders have to pay shut consideration to those campaigns. Enterprises ought to spin up devoted initiatives to evaluate the present influence, remediate, and harden in opposition to future assaults.”
