OpenAI Rotates macOS Signing Certificates After Axios Compromise

OpenAI discovered a software supply-chain compromise when the widely used third-party JavaScript library Axios was poisoned on March 31, 2026. A GitHub Actions workflow in OpenAI's macOS app-signing pipeline downloaded and executed a malicious Axios version, which ran in a job that had access to a certificate and notarization material used to sign macOS apps. Affected apps include ChatGPT Desktop, Codex, Codex CLI, and Atlas. OpenAI stated, "We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered." Out of caution OpenAI revoked and rotated the signing certificate and is forcing macOS app updates effective May 8, 2026.

OpenAI attributes the initial vector to a compromised Axios maintainer account which allowed malicious versions of the library to be published. The malicious Axios release was pulled after a short window, reported at about three hours by community researchers. OpenAI reports the root cause as a misconfiguration in their GitHub Actions workflow that allowed the pipeline to fetch and execute the compromised package while it had access to signing artifacts. Their investigation concluded the certificate was likely not exfiltrated, but it is being treated as compromised and rotated.

Affected artifacts and remediation steps:

• •ChatGPT Desktop (older releases signed with the rotated certificate), Codex App, Codex CLI, Atlas will require updates before May 8, 2026.
• •OpenAI revoked the certificate, rotated signing materials, patched the GitHub Actions workflow, and engaged a third-party digital forensics and incident response firm.
• •OpenAI says passwords and OpenAI API keys were not affected and that there is no evidence of altered software or IP loss.

Supply-chain attacks continue to be the highest-leverage operational risk for software-heavy AI firms. This incident follows a string of npm and repository supply-chain compromises where attacker-controlled packages executed code in CI/CD contexts. The distinguishing feature here is that the compromised package executed inside a signing job with access to notarization and certificate materials, which elevates the risk from mere CI compromise to potential maliciously signed binaries that could impersonate the vendor. OpenAI's quick revocation and rotation of certificates, plus the forced update window, reduced the operational exposure, but the event highlights systemic CI/CD hygiene gaps that ML engineering teams must treat as a first-order risk.

If a signing certificate is abused, attackers can distribute binaries that macOS will treat as legitimately signed, bypassing some platform protections. ML and security engineers must verify that secrets and signing keys are not accessible to jobs that can fetch arbitrary third-party code, adopt reproducible build practices, and enable strict dependency pinning or integrity checks in CI. The incident underscores the practical value of ephemeral signing keys, hardware-backed signing, and least-privilege for CI jobs.

Confirmed cases of maliciously signed distributions or fake apps in the wild, disclosure of additional forensic timelines, and whether other organizations using the same compromised Axios versions observed comparable exposures. Also watch upstream fixes in package manager controls, maintainer account hardening, and platform-level mitigations to prevent code execution in signing jobs.