OpenAI revealed a GitHub Actions workflow used to signal its macOS apps led to the obtain of the malicious Axios library on March 31, however famous that no person information or inside system was compromised.
“Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps,” OpenAI stated in a submit final week. “We found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered.”
The disclosure comes a bit of over every week after Google Menace Intelligence Group (GTIG) attributed the provision chain compromise of the favored npm bundle to a North Korean hacking group it tracks as UNC1069.
The assault enabled the risk actors to hijack the bundle maintainer’s npm account to push two poisoned variations 1.14.1 and 0.30.4 that got here embedded with a malicious dependency named “plain-crypto-js,” which deployed a cross-platform backdoor known as WAVESHAPER.V2 to contaminate Home windows, macOS, and Linux methods.
The synthetic intelligence (AI) firm stated a GitHub Actions workflow it makes use of as a part of its macOS app-signing course of downloaded and executed Axios model 1.14.1. The workflow, it added, had entry to a certificates and notarization materials used for signing ChatGPT Desktop, Codex, Codex CLI, and Atlas.
“Our analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors,” the corporate stated.
Regardless of discovering no proof of knowledge exfiltration, OpenAI stated it is treating the certificates as compromised and that it is revoking and rotating it. As a end result, older variations of all its macOS desktop apps will not obtain updates or help beginning Could 8, 2026.
This additionally implies that apps signed with the earlier certificates can be blocked by macOS safety protections by default, stopping them from being downloaded or launched. The earliest releases signed with their up to date certificates are listed beneath –
- ChatGPT Desktop – 1.2026.071
- Codex App – 26.406.40811
- Codex CLI – 0.119.0
- Atlas – 1.2026.84.2
As a part of its remediation efforts, OpenAI can also be working with Apple to make sure software program signed with the earlier certificates can’t be newly notarized. The 30-day window until Could 8, 2026, is a solution to decrease person disruption and provides them sufficient time to ensure they’re up to date to the most recent model, it pointed out.
“In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software,” OpenAI stated. “We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third-party would be blocked by default by macOS security protections unless a user explicitly bypasses them.”
Two Provide Chain Assaults Rock March
The breach of Axios, one of the vital broadly used HTTP consumer libraries, was one of many two main provide chain assaults that happened in March aimed on the open-source ecosystem. The opposite incident focused Trivy, a vulnerability scanner maintained by Aqua Safety, ensuing in cascading impacts throughout 5 ecosystems, affecting quite a lot of different common libraries relying on it.
The assault, the work of a cybercriminal group known as TeamPCP (aka UNC6780), deployed a credential stealer dubbed SANDCLOCK that facilitated the extraction of delicate information from developer environments. Subsequently, the risk actors weaponized the stolen credentials to compromise npm packages and push a self-propagating worm named CanisterWorm.
Days later, the crew used secrets and techniques pilfered from the Trivy intrusion to inject the identical malware into two GitHub Actions workflows maintained by Checkmarx. The risk actors then adopted it up by publishing malicious variations of LiteLLM and Telnyx to the Python Bundle Index (PyPI), each of which use Trivy of their CI/CD pipeline.
“The Telnyx compromise indicates a continued change in the techniques used in TeamPCP’s supply chain activity, with adjustments to tooling, delivery methods, and platform coverage,” Development Micro stated in an evaluation of the assault.
“In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling, evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence.”
On Home windows methods, the hack of the Telnyx Python SDK resulted within the deployment of an executable named “msbuild.exe” that employs a number of obfuscation strategies to evade detection and extracts DonutLoader, a shellcode loader, from a PNG picture current throughout the binary to load a full-featured trojan and a beacon related with AdaptixC2, an open-source command-and-control (C2) framework.
Extra analyses of the marketing campaign, now recognized as CVE-2026-33634, have been printed by numerous cybersecurity distributors –
TeamPCP’s provide chain compromise rampage might have come to an finish, however the group has since shifted its focus in the direction of monetizing current credential harvests by teaming up with different financially motivated teams like Vect, LAPSUS$, and ShinyHunters. Proof signifies that the risk actor has additionally launched a proprietary ransomware operation below the title CipherForce.
These efforts have been complemented by TeamPCP’s use of the stolen information to entry cloud and software-as-a-service (SaaS) environments, marking a new-found escalation of the marketing campaign. To that finish, the cybercrime gang has been discovered to confirm stolen credentials utilizing TruffleHog, launch discovery operations inside 24 hours of validation, exfiltrate extra information, and try lateral motion to realize entry to the broader community.
“The credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data,” Wiz researchers stated. “While the speed at which they were used suggests that it was the work of the same threat actors responsible for the supply chain operations, we are not able to rule out the secrets being shared with other groups and used by them.”
Assaults Ripple By Dependencies
Google has warned that “hundreds of thousands of stolen secrets” may probably be circulating because of the Axios and Trivy assaults, fueling extra software program provide chain assaults, SaaS setting compromises, ransomware and extortion occasions, and cryptocurrency theft over the close to time period.
Two organizations which have confirmed compromise via the Trivy provide chain assault are synthetic intelligence (AI) information coaching startup Mercor and the European Fee. Whereas the corporate has not shared particulars on the influence, the LAPSUS$ extortion group listed Mercor on its leak web site, claiming to have exfiltrated about 4TB of knowledge. The Mercor breach has led Meta to pause its work with the corporate, in line with a report from WIRED.
Earlier this month, CERT-EU revealed that the risk actors used the stolen AWS secret to exfiltrate information from the Fee’s cloud setting. This included information referring to web sites hosted for as much as 71 shoppers of the Europa internet hosting service and outbound electronic mail communications. The ShinyHunters group has since launched the exfiltrated dataset publicly on its darkish internet leak web site.
GitGuardian’s evaluation of the Trivy and LiteLLM provide chain assaults and their unfold via dependencies and automation pipelines has discovered that 474 public repositories executed malicious code from the compromised “trivy-action” workflow, and 1,750 Python packages had been configured in a method that might robotically pull the poisoned variations.
“TeamPCP is deliberately targeting security tools that run with elevated privileges by design. Compromising them gives the attacker access to some of the most sensitive environments in the organization, because security tools are typically granted broad access by design,” Brett Leatherman, assistant director of Cyber Division on the U.S. Federal Bureau of Investigation (FBI), wrote on LinkedIn.
The availability chain incidents are harmful as a result of they take purpose on the inherent belief builders assume when downloading packages and dependencies from open-source repositories. “Trust was assumed where it should have been verified,” Mark Lechner, chief data safety officer at Docker, stated.
“The organizations that came through these incidents with minimal damage had already begun replacing implicit trust with explicit verification at every layer of their stack: verified base images instead of community pulls, pinned references instead of mutable tags, scoped and short-lived credentials instead of long-lived tokens, and sandboxed execution environments instead of wide-open CI runners.”
Each Docker and the Python Bundle Index (PyPI) maintainers have outlined an extended listing of suggestions that builders can implement to counter such assaults –
- Pin packages by digest or commit SHA as an alternative of mutable tags.
- Use Docker Hardened Pictures (DHI).
- Implement minimal launch age settings to delay adoption of latest variations for dependency updates.
- Deal with each CI runner as a possible breach level and keep away from pull_request_targe triggers in GitHub Actions except completely crucial.
- Use short-lived, narrowly scoped credentials.
- Use an inside mirror or artifact proxy.
- Deploy canary tokens to get alerted to potential exfiltration makes an attempt.
- Audit setting for hard-coded secrets and techniques.
- Run AI coding brokers in sandboxed environments.
- Use trusted publishing to push packages to npm and PyPI.
- Safe the open-source growth pipeline with two-factor authentication (2FA).
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has additionally added CVE-2026-33634 to its Recognized Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Govt Department (FCEB) businesses apply the mandatory mitigations by April 9, 2026.
“The number of recent software supply chain attacks is overwhelming,” Charles Carmakal, chief expertise officer of Mandiant Consulting at Google, stated. “Defenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future attacks.”
