**OpenAI** revealed that a **GitHub Actions** workflow used to sign its macOS apps led to the download of the malicious **Axios** library on March 31. The company stated, "Out of an abundance of caution, we are taking steps to protect the process that certifies our macOS applications are legitimate **OpenAI** apps. We found no evidence that **OpenAI** user data was accessed, that our systems or intellectual property were compromised, or that our software was altered." This disclosure follows an attribution by **Google Threat Intelligence Group (GTIG)**, linking the supply chain compromise of the **npm** package **Axios** to the North Korean hacking group **UNC1069**. ### Axios Compromise Details The attack involved hijacking the package maintainer's **npm** account to push two poisoned versions, 1.14.1 and 0.30.4. These versions contained a malicious dependency named "plain-crypto-js," which deployed a cross-platform backdoor called WAVESHAPER.V2 targeting Windows, macOS, and Linux systems. **OpenAI** confirmed that its **GitHub Actions** workflow, part of its macOS app-signing process, downloaded and executed **Axios** version 1.14.1. This workflow had access to a certificate and notarization material used for signing ChatGPT Desktop, Codex, Codex CLI, and Atlas. "Our analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors," the company said. ### Certificate Revocation and Impact Despite finding no evidence of data exfiltration, **OpenAI** is treating the certificate as compromised, revoking and rotating it. As a result, older versions of all its macOS desktop apps will no longer receive updates or support starting May 8, 2026. Apps signed with the previous certificate will be blocked by macOS security protections by default, preventing them from being downloaded or launched. The earliest releases signed with their updated certificate are: * ChatGPT Desktop - 1.2026.071 * Codex App - 26.406.40811 * Codex CLI - 0.119.0 * Atlas - 1.2026.84.2 **OpenAI** is also collaborating with **Apple** to ensure software signed with the previous certificate cannot be newly notarized. The 30-day window until May 8, 2026, is intended to minimize user disruption and allow sufficient time for updates. **OpenAI** stated, "In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate **OpenAI** software. We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third-party would be blocked by default by macOS security protections unless a user explicitly bypasses them." ### Two Supply Chain Attacks Rock March The breach of **Axios** was one of two major supply chain attacks in March targeting the open-source ecosystem. The other incident targeted **Trivy**, a vulnerability scanner maintained by **Aqua Security**, resulting in cascading impacts across five ecosystems, affecting numerous popular libraries dependent on it. The attack, attributed to the cybercriminal group **TeamPCP** (aka UNC6780), deployed a credential stealer named SANDCLOCK to extract sensitive data from developer environments. The stolen credentials were then used to compromise **npm** packages and push a self-propagating worm named CanisterWorm. Days later, secrets pilfered from the **Trivy** intrusion were used to inject the same malware into two **GitHub Actions** workflows maintained by **Checkmarx**. The attackers then published malicious versions of **LiteLLM** and **Telnyx** to the Python Package Index (PyPI), both of which use **Trivy** in their CI/CD pipeline. **Trend Micro** noted, "The **Telnyx** compromise indicates a continued change in the techniques used in **TeamPCP**'s supply chain activity, with adjustments to tooling, delivery methods, and platform coverage," in an analysis of the attack. "In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling, evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence." On Windows systems, the hack resulted in the deployment of an executable named "msbuild.exe" that employs obfuscation techniques to evade detection and extracts DonutLoader, a shellcode loader, from a PNG image within the binary to load a full-featured trojan and a beacon associated with AdaptixC2, an open-source command-and-control (C2) framework. Additional analyses of the campaign, now identified as **CVE-2026-33634**, have been published by various cybersecurity vendors: * [**CrowdStrike**](https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/) * [FUTURESEARCH](https://futuresearch.ai/blog/no-prompt-injection-required/) * [Hexastrike](https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/) * [Kudelski Security](https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise) * [**Microsoft**](https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/) * [OpenSourceMalware](https://opensourcemalware.com/blog/teampcp-supply-chain-campaign) * [Palo Alto Networks Unit 42](https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/) * [ReversingLabs](https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads) * [SOCRadar](https://socradar.io/blog/teampcp-checkmarx-github-actions-attack/) * [Sonatype](https://www.sonatype.com/blog/compromised-litellm-pypi-package-delivers-multi-stage-credential-stealer) * [StepSecurity](https://www.stepsecurity.io/blog/litellm-credential-stealer-hidden-in-pypi-wheel) * [Snyk](https://snyk.io/blog/poisoned-security-scanner-backdooring-litellm/) * [Trend Micro](https://www.trendmicro.com/en_us/research/26/c/inside-litellm-supply-chain-compromise.html) * [TRUESEC](https://www.truesec.com/hub/blog/malicious-pypi-package-litellm-supply-chain-compromise) * [Wiz](https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign) **TeamPCP**'s supply chain compromise rampage may have concluded, but the group has since shifted its focus towards monetizing existing credential harvests by teaming up with other financially motivated groups like Vect, LAPSUS$, and ShinyHunters. Evidence indicates that the threat actor has also launched a proprietary ransomware operation under the name CipherForce.