OpenAI replaces signature certificates in macOS after committed Axios and warns about the revocation of the old certificate

OpenAI has decided to replace its code signature certificates for macOS after detecting that a GitHub Actions workflow executed, on March 31, 2026, a compromised version of the Axios library (1.14.1). This workflow had access to the certificates used to sign several OpenAI applications in macOS - including ChatGPT Desktop, Codex, Codex CLI and Atlas - so, although internal research found no evidence of malicious use of the keys, the company has chosen to act "by caution" and rotate and revoke the affected certificates.

What does this mean in practice? The signature certificates serve to ensure that macOS and its security mechanisms recognize an application as legitimate and from its developer. If an attacker got a valid copy of those certificates, he could sign malicious software and make it look like a legitimate OpenAI app. To mitigate this risk, OpenAI is issuing new certificates and, in collaboration with Apple, blocking the possibility of future software being notarized with the previous certificate. According to the company, the old certificate will be completely revoked on 8 May 2026; from that date, macOS could prevent the execution of signed versions with the key withdrawal.

OpenAI worked with an external incident response firm to audit what happened. This investigation found no evidence that the certificates had been exfiltered or used to distribute malicious software, nor did it find signs that data from users, passwords or API keys had been compromised. In addition, the company reviewed the activity of prior notarization and verified that everything signed with this certificate so far was legitimate binaries.

What should users of macOS do? Users will need to update their OpenAI applications to signed versions with the new certificate; OpenAI warns that old versions may no longer work from May 8. The recommendation is to use the integrated updates in the applications or download the installers from the official OpenAI pages and avoid installing executables received by mail, ads or links from unverified third party sites.

The company has also made it clear that the problem is linked to its MacOS applications: its web services and applications for iOS, Android, Windows and Linux were not affected by this incident, according to its statement. OpenAI maintains continuous surveillance and reserves the option of accelerating the revocation of the certificate if it detects suspicious activity related to the old certificate.

The incident is part of a software supply chain commitment campaign that, according to researchers, was attributed to an actor linked to North Korea known as UNC1069. In this case, the attackers reportedly carried out a social engineering operation against a maintainer of the Axios project: they organized a false collaboration meeting by video-lamada that led to the installation of malware in the developer's machine and, with account control, published malicious versions of the package in npm. These versions included a unit that deployed a remote access trojan (RAT) capable of attacking macOS, Windows and Linux, which turned the library engaged into a vector to distribute harmful code to projects that incorporated it.

The attacks on the open source supply chain are not new, but they have gained visibility for their ability to reach hundreds or thousands of projects and end-users through a single unit. This episode again stresses that the commitments do not always come from technical failures, but often start with deceit aimed at people: false invitations, trickery collaborative spaces and calls where the target is persuaded to run software or apparently harmless commands.

What technical and organizational measures help to reduce this risk It is something that many development teams are re-reviewing: applying the principle of minimum privilege in CI / CD pipelines so that workflows do not have unnecessary access to secrets and certificates, often encryption and rotating keys, using signatures and integrity controls in dependencies, requiring strong authentication (such as 2FA) to critical maintenance and monitoring unusual activity in repository and package accounts. GitHub offers guides to harden Actions and mitigate risks in continuous integration environments; in addition, organizations such as CISA publish recommendations to protect the software supply chain that are useful for equipment of all sizes.

For those who want to deepen, OpenAI published a security notice with details of the incident and actions undertaken in its official communiqué. If you are looking for context on how notarization and signature of applications in macOS works, Apple's notarization documentation provides a technical view of why these certificates are critical to system security: Notarizing macOS software. For teams that deploy at GitHub Actions, GitHub's good safety practice guide is a practical reference to reduce the attack surface in the pipelines: Hardening GitHub Actions. And to understand the magnitude and risks of this type of campaign to the supply chain, the CISA agency offers resources and practical guidance: CISA - Supply Chain Security.

The key lesson is double: on the one hand, technical security matters - access control, rotation of secrets and audits - on the other, human security remains the Achilles heel. As long as the teams continue to rely on third-party packages and automated integrations, it is essential to combine technical controls with training and protocols that reduce the likelihood that an invitation or a malicious file will end up opening the door to a large-scale intrusion.