The software supply chain in check: compromised certificates, exposed secrets and attacks on Axios, Trivy and PyPI

The software supply chain again showed how fragile trust in the open ecosystem can be: OpenAI has revealed that a workflow ofGitHub Actionsused to sign its applications on macOS downloaded a compromised version of the Axios bookstore on March 31. Although the company claims not to have detected access to user data or manipulation of its software, the gravity of the incident is that this workflow had access to a certificate and notarization materials used to sign several popular applications of the company.

The digital application signature is precisely what allows operating systems to rely on software, and that an automated process in the publishing chain runs malicious code is a scenario feared by all responsible for security. OpenAI explained that the execution of Axios 1.14.1 occurred within the macOS signature pipeline used for ChatGPT Desktop, Codex (app and CLI) and Atlas. After a forensic analysis, the company considers it unlikely that the payload could exfilter the certificate due to the sequence and chronology of the events, but, by caution, has decided to treat the certificate as committed: it is revoking and rotating it.

As a direct measure, OpenAI details that the old versions of its macOS applications will no longer receive updates and support from 8 May 2026 and that the built-up signed with the previous certificate will be blocked by the default macOS protections, preventing their download or release unless the user manually omits those barriers. It has also announced the first versions already signed with the new certificate: ChatGPT Desktop 1.2026.071, Codex App 26.406.40811, Codex CLI 0.119.0 and Atlas 1.2026.84.2. In parallel, the company works with Apple to prevent new software from being notarized with the previous credential, trying to minimize risk and confusion for users while the transition is completed.

This incident with Axios is not isolated: Google Threat Intelligence Group (GTIG) attributed the verification of this package to an actor to whom it follows as UNC1069. In that operation the attackers took control of the maintainer's account and published poisoned versions that introduced a malicious dependence called "plain-cryptojs," which deployed a multi-platform back door identified as WAVESHAPER.V2, with capabilities to affect Windows, macOS and Linux. The Axios case was, along with another series of intrusions, part of a wave of attacks on open source components that shook the community in March.

The other big operation targeted Trivy, the Aqua Security vulnerability scanner. Researchers attribute this attack to a group known as TeamPCP (also referred to as UNC6780) and describe a chain of exploitation in which credentials thieves were used - such as the so-called SANDCLOCK malware - to filter secrets from developer environments, compromise accounts and finally spread malicious charges that included self-replicating worms such as CanisterWorm. From these stolen credentials, the continuous integration automation of third parties was contaminated, allowing attackers to inject malware into packages published in different records, including the Python Package Index (PyPI).

Security analysts and cyber security providers have been documenting the scope and sophistication of these campaigns. In addition to GTIG, firms such as Trend Micro, CrowdStrike, Microsoft, ReversingLabs and others have published analyses that describe techniques ranging from the use of image-hidden loaders to automatic execution mechanisms in Python environments and the exploitation of secrets to move laterally through cloud infrastructure. A striking example on Windows was the inclusion of an oval executable that extracted a charger from a PNG image to deploy a Trojan with beaconing and remote control capabilities.

More worrying is the volume of potentially exposed secrets: Google warned that they could be circulating "hundreds of thousands" of stolen credentials and tokens as a result of these incidents, which fuels a sustained risk of new intrusions, extortion and theft of digital assets. Organizations such as the European Commission and private companies have confirmed impacts from the Trivy campaign, with data extraction and operational consequences that have even caused decisions such as the temporary suspension of relations by affected contractors.

The speed with which the attackers validated and used stolen credentials has been one of the most alarming factors: according to studies, the verification of a secret and subsequent exploration of the target environment were often completed in less than 24 hours. This has led researchers to warn that, although several operations are attributed to the same group, credentials cannot be ruled out between different actors with different objectives.

In view of this scenario, both platform and security company maintenance recommend moving from implicit confidence to systematic verification in each layer: using immutable references for dependencies rather than labels that can change, narrowing the scope and life of credentials, harden base images and execution environments, and treating CI runners as possible compromised vectors. Initiatives to force reliable publications in records such as npm and PyPI, and administrative measures such as the adoption of authentication of two factors, are steps that are being urgently promoted.

In addition, agencies like the American CISA have included some of these vulnerabilities in their catalogues of exploited threats, forcing certain agencies to implement mitigation within specific time limits. Secret analysis and detection platforms for suspicious executions, as well as continuous audits of pipelines and code repositories, have become essential practices to reduce the likelihood that an initial commitment will lead to a greater intrusion.

If there is a clear lesson, it is that the security of modern software is no longer just the responsibility of those who write the final application: it depends on the entire chain, from third-party bookstores to automation scripts and secrets stored in CI / CD services. While technical teams adapt to this reality, recent incidents stress the need for organizations to invest in preventive controls and agile responses, and for users to keep their applications up-to-date to avoid being affected by potentially compromised certificates or components.

For more technical information and analysis on these campaigns, please refer to the communications and writings of the response teams and signatures that have investigated the incidents, including the Google Threat Analysis Group blog, the reports of several cyber security companies and OpenAI official publications on their blog: Google TAG, OpenAI Blog, CrowdStrike, Wiz and the CISA catalogue at CISA.