Back to Intelligence

OpenAI macOS Certificate Revocation: Axios Supply Chain Incident and Hardening

SA
Security Arsenal Team
April 13, 2026
6 min read

Introduction

On March 31, 2026, OpenAI disclosed a significant supply chain security event stemming from a compromised GitHub Actions workflow. The incident involved the inadvertent download of a malicious version of the axios JavaScript library—a critical dependency used in the build pipeline for OpenAI's macOS applications.

While OpenAI stated that no user data or internal systems were compromised, the integrity of the code-signing certificate was impacted. Consequently, OpenAI revoked the macOS developer certificate used to sign its applications. For defenders, this is a critical availability and trust incident. A revoked certificate means existing applications will fail to launch or update, effectively creating a denial of service for end-users and requiring immediate remediation across fleets. Furthermore, it highlights the persistent risk of dependency confusion and poisoned pipeline execution in modern CI/CD environments.

Technical Analysis

Affected Products and Platforms

  • Platform: macOS
  • Application: OpenAI macOS Desktop Applications
  • Root Cause: Compromise of GitHub Actions workflow leading to the download of a malicious axios package (dependency confusion/supply chain).
  • Impact: Revocation of Apple Developer ID Certificate used for application signing.

Attack Chain

  1. Initial Vector: A GitHub Actions workflow, responsible for building and signing macOS binaries, triggered a package manager interaction (likely npm install or yarn).
  2. Artifact Download: The process resolved a dependency request for axios and downloaded a malicious version from the public registry rather than the intended internal or trusted source.
  3. Execution: The malicious library was executed during the build process within the CI/CD runner environment.
  4. Code Signing Impact: The build process utilized valid signing credentials to sign the compiled application. While OpenAI asserts no breach of user data, the presence of malicious code in the build chain necessitated the invalidation of the signing certificate to prevent the distribution of tampered binaries.
  5. Post-Incident Response: OpenAI revoked the certificate. macOS Gatekeeper now treats existing signed binaries as untrusted, blocking execution.

Exploitation Status

  • Status: Confirmed incident (Supply Chain).
  • Active Exploitation: The malicious artifact was downloaded during the build process on March 31.
  • CVE: No specific CVE assigned yet for the OpenAI configuration failure, though axios vulnerabilities are tracked separately (e.g., CVE-2023-45857). This is a configuration/process failure, not necessarily a software zero-day.

Detection & Response

SIGMA Rules

YAML
---
title: macOS Application Code Signature Failure - OpenAI Incident
id: 8a4f2e9b-1c3d-4a7f-9b6e-5d8c7a9b0c1d
status: experimental
description: Detects attempts to launch OpenAI macOS applications that fail code signature validation due to certificate revocation or mismatch. Relevant post-incident where certificates are revoked.
references:
 - https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.defense_evasion
 - attack.t1553.002
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|contains: 'OpenAI'
  filter_legit:
    CodeSignature|contains: 'valid'
  condition: selection and not filter_legit
falsepositives:
  - Known updates pending re-installation
level: high
---
title: Suspicious NPM Install from GitHub Actions Runner
id: 9b5g3f0a-2d4e-5b8g-0c7f-6e9d8b0a1c2e
status: experimental
description: Detects execution of npm or yarn install commands by a GitHub Actions runner service account, which may indicate a supply chain attempt or dependency confusion if triggered unexpectedly.
references:
 - https://attack.mitre.org/techniques/T1195/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1195.002
logsource:
  category: process_creation
  product: linux # or windows if self-hosted on windows
detection:
  selection:
    ParentImage|endswith: 'Runner.Worker.exe'
    Image|endswith:
      - '/npm'
      - '/yarn'
    CommandLine|contains: 'install'
  condition: selection
falsepositives:
  - Legitimate CI/CD build pipelines
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for macOS devices launching OpenAI apps resulting in code signature errors
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("ChatGPT", "OpenAI") 
or FolderPath contains @"\OpenAI"
| where InitiatingProcessFileName != "update"
| project Timestamp, DeviceName, FileName, ProcessVersionInfoInternalFileName, AdditionalFields
| where AdditionalFields has_any ("code signature", "invalid", "revoked")
| extend Details = parse_(AdditionalFields)
| project Timestamp, DeviceName, FileName, Details.CodeSignatureStatus, Details.SignningStatus
| sort by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for OpenAI applications on macOS and verify their signature status
-- This checks if the binary is signed and if the certificate is valid
SELECT 
  OSPath,
  Size,
  Mode,
  Mtime
FROM glob(globs="/Applications/*OpenAI*.app/Contents/MacOS/*")

-- Perform code signing verification check on the found binaries
LET OpenAIBinaries = SELECT OSPath FROM glob(globs="/Applications/*OpenAI*.app/Contents/MacOS/*")

SELECT 
  OSPath,
  Command,
  Stdout,
  Stderr
FROM execve(argv=["/usr/bin/codesign", "-dv", "/" + OSPath], sep="\n")
WHERE OSPath IN OpenAIBinaries.OSPath

Remediation Script (Bash)

Bash / Shell
#!/bin/bash

# Remediation Script: OpenAI macOS Certificate Revocation
# Purpose: Uninstall impacted OpenAI apps to clear the revoked certificate state

echo "[*] Starting remediation for OpenAI macOS applications..."

APP_PATH="/Applications/OpenAI.app"

# Check if the standard app path exists (adjust path if different specific app names are used)
if [ -d "$APP_PATH" ]; then
    echo "[!] Found OpenAI application at $APP_PATH"
    echo "[*] Attempting to quit running processes..."
    pkill -f "OpenAI" 2>/dev/null
    sleep 2
    
    echo "[*] Removing the application bundle..."
    rm -rf "$APP_PATH"
    
    if [ $? -eq 0 ]; then
        echo "[+] Successfully removed $APP_PATH"
        echo "[!] ACTION REQUIRED: Please download the latest version of the OpenAI application from the official source to restore functionality."
    else
        echo "[-] Failed to remove $APP_PATH. Check permissions."
    fi
else
    echo "[INFO] No OpenAI application found at default path /Applications/OpenAI.app"
fi

echo "[*] Remediation script complete."

Remediation

Immediate Actions for Endpoints

  1. Application Removal: Existing installations of the OpenAI macOS application will likely fail to launch or function correctly due to the revoked certificate. Administrators must uninstall the current version of the application from all managed macOS endpoints.
  2. Clean Installation: Download and install the latest version of the OpenAI application directly from the official vendor website or the Apple App Store. The new version will be signed with a new, valid certificate.
  3. Verification: After reinstallation, verify the code signature to ensure it is valid and trusted by Apple. Use the command: codesign -dv --verbose=4 /Applications/OpenAI.app.

Hardening CI/CD Pipelines

  1. Dependency Pinning: Ensure all build pipelines use package-lock., yarn.lock, or equivalent lockfiles. Do not rely on loose version constraints (e.g., ^1.0.0) that allow for unintended updates.
  2. Supply Chain Vetting: Implement tools like npm audit, dependabot, or OSSF Scorecard checks within the GitHub Actions workflow prior to executing build steps.
  3. Registry Scoping: Configure package managers (npm, yarn) to only pull dependencies from private, scoped registries or verified public mirrors, avoiding the public npm registry if possible for critical internal builds.
  4. Token Hygiene: Rotate any CI/CD secrets or tokens that may have been accessible to the build environment during the compromise window, as a precautionary measure.

Official Advisory

Refer to the official OpenAI security post for the specific reinstallation instructions and the new certificate details: OpenAI Security Advisory

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsocopenaisupply-chainmacosaxios

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action