A major software supply chain security scare has forced OpenAI to revoke and rotate its macOS app certificate after a malicious version of the widely used Axios library was introduced through a compromised GitHub Actions workflow. While no user data or internal systems were reportedly impacted, the incident highlights how fragile modern software pipelines have become—and how quickly trusted tools can turn into attack vectors.
The breach is part of a wider wave of software supply chain attacks targeting open-source ecosystems, CI/CD pipelines, and developer dependencies, raising urgent questions about how companies secure the tools they rely on every day.
How a GitHub Actions workflow became the entry point
According to OpenAI, the issue began on March 31 when a GitHub Actions workflow used for macOS app signing unintentionally downloaded a malicious version of the Axios library (v1.14.1). Axios is one of the most widely used HTTP client libraries in modern development, making its compromise especially impactful.
That malicious version included a poisoned dependency called plain-crypto-js, which deployed a cross-platform backdoor known as WAVESHAPER.V2. This payload was capable of targeting Windows, macOS, and Linux environments.
The affected workflow also had access to sensitive certificate and notarization materials used for signing several OpenAI desktop tools, including ChatGPT Desktop and Codex applications. However, OpenAI says multiple timing and sequencing safeguards likely prevented any successful extraction of those credentials.
Why OpenAI is still revoking the certificate
Even though no compromise of user data or internal infrastructure was detected, OpenAI took the cautious step of revoking and rotating its macOS signing certificate. The company emphasized that treating the certificate as compromised was necessary due to the potential risk of misuse.
If attackers had successfully extracted the certificate, it could have been used to sign malicious software and disguise it as legitimate OpenAI applications—an especially dangerous scenario given macOS’s built-in trust mechanisms.
To reduce risk, OpenAI has also coordinated with Apple to prevent new notarization attempts using the old certificate. Older versions of macOS apps will lose support and updates after May 8, 2026, and may be blocked by macOS security protections by default.
The bigger picture: a month filled with supply chain chaos
The Axios incident wasn’t isolated. It was one of two major open-source supply chain attacks discovered in March, alongside a separate compromise of the Trivy vulnerability scanner maintained by Aqua Security.
Security researchers attribute parts of these campaigns to multiple threat groups, including UNC1069 (linked to a North Korean hacking operation) and a financially motivated cluster tracked as TeamPCP (UNC6780). These groups have been observed weaponizing stolen credentials, compromising npm packages, and even deploying self-propagating malware across ecosystems.
What makes these attacks especially concerning is their reach. Once inside a trusted dependency or CI/CD pipeline, attackers can silently spread through thousands of downstream projects without directly targeting end users.
From Axios to Trivy: how attacks spread through trust
In the Trivy-related breach, attackers deployed credential-stealing malware that extracted sensitive tokens from developer environments. These credentials were later used to compromise GitHub Actions workflows and publish malicious packages to Python’s package index (PyPI).
Security firms report that the malware evolved rapidly, using techniques like obfuscation, steganography (hiding payloads inside images), and multi-platform persistence methods targeting both Windows and Linux systems.
In one case, a malicious Windows binary disguised itself as a legitimate system tool while extracting additional payloads from image files—a technique designed to bypass traditional security scanning tools.
Why supply chain attacks are escalating so quickly
One of the most worrying trends is speed. Attackers are now validating stolen credentials within hours, not days, and immediately using them to explore cloud environments, SaaS platforms, and internal developer systems.
Security researchers also warn that hundreds of thousands of stolen secrets may now be circulating, increasing the likelihood of follow-up attacks such as ransomware, cloud breaches, and extortion campaigns.
In fact, organizations including Mercor and even parts of the European Commission’s cloud infrastructure have already been linked to downstream impact from the Trivy compromise.
What makes modern CI/CD pipelines such a soft target
At the core of these incidents is a simple problem: trust.
Modern development pipelines rely heavily on third-party packages, automated workflows, and shared build systems. When any one of those components is compromised, attackers can quietly infiltrate entire ecosystems.
Security experts increasingly argue that the industry is shifting toward a “zero implicit trust” model. Instead of assuming dependencies are safe, organizations are being pushed to verify every layer—from build environments to package integrity.
This shift is also accelerating adoption of practices like pinned dependencies, short-lived credentials, and sandboxed CI runners, all aimed at reducing the blast radius of a single compromise.
Where open-source security goes from here
The Axios and Trivy incidents reinforce a growing reality: open-source software is only as secure as its weakest dependency. As attackers refine their methods, the focus is shifting from endpoint protection to pipeline protection.
Expect to see more emphasis on software provenance, signed builds, and stricter controls around CI/CD permissions in the months ahead. Developers are also being encouraged to treat build systems as high-risk environments rather than trusted automation layers.
The challenge now is balancing openness and speed with verification and control—without slowing down modern software development.
Final thought
These attacks didn’t just exploit code—they exploited trust. And in a world where nearly every application depends on layers of external libraries and automated pipelines, that trust has become one of the most valuable targets.
So the real question is: how much trust should software development still be allowed to assume?
