Back to Intelligence

OpenAI macOS Supply Chain Compromise: Axios Malware Injection & Certificate Revocation

SA
Security Arsenal Team
April 21, 2026
6 min read

Introduction

On March 31, 2026, OpenAI disclosed a significant supply chain security incident involving its macOS application signing infrastructure. A GitHub Actions workflow, integral to the build and signing process, was manipulated to download a malicious version of the popular axios JavaScript library. Consequently, OpenAI has revoked the macOS certificate used to sign its applications.

For defenders, this is a critical wake-up call. The revocation of a developer certificate by a major vendor effectively renders existing installed applications invalid or untrusted, potentially causing operational disruption. More critically, it highlights the vulnerability of CI/CD pipelines to dependency poisoning. This incident requires immediate attention to verify the integrity of OpenAI applications in your environment and audit your own GitHub Actions workflows for similar misconfigurations.

Technical Analysis

Affected Products & Platforms

  • Platform: macOS
  • Affected Component: OpenAI macOS Applications (signed with the now-revoked certificate)
  • Vector: GitHub Actions Workflow / Dependency Poisoning

Vulnerability & Attack Chain

While no CVE has been explicitly assigned to the OpenAI workflow configuration failure, the attack leverages the technique of Dependency Confusion or Malicious Package Injection within a CI/CD pipeline.

  1. Initial Compromise: The GitHub Actions workflow responsible for building the macOS app contained logic to fetch dependencies.
  2. Malicious Artifact: On March 31, the workflow executed a download of a malicious axios library. This likely occurred due to a misconfigured dependency scope or a compromised upstream registry mirror within the workflow.
  3. Code Execution & Signing: The malicious library was executed during the build process (or included in the bundle). The build runner, possessing access to the private signing certificate, signed the tainted macOS binary.
  4. Impact: The malicious binary, now signed with a trusted certificate, was considered legitimate by macOS Gatekeeper.

Exploitation Status

  • Status: Confirmed active exploitation of the workflow (OpenAI acknowledged the download on March 31).
  • Impact: OpenAI states no user data or internal systems were compromised, suggesting the malicious library may have been a proof-of-concept or detected before widespread distribution, or that the revocation was pre-emptive. However, the certificate revocation implies a total loss of trust in the private key.

Detection & Response

Sigma Rules

The following rules detect the CI/CD abuse pattern (Linux runner) and the potential execution of the macOS application with a revoked certificate (macOS endpoint).

YAML
---
title: Potential GitHub Actions Dependency Confusion via NPM
id: 9c8d1e23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects NPM install operations within CI/CD environments that utilize a custom registry, a common indicator of dependency confusion attacks.
references:
  - https://attack.mitre.org/techniques/T1195.002/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/npm'
    CommandLine|contains: 'install'
    CommandLine|contains: '--registry'
  filter_public:
    CommandLine|not|contains: 'https://registry.npmjs.org'
  context_ci:
    Image|contains: '/actions/'
    or:
      - UserName|contains: 'runner'
      - UserName|contains: 'actions'
condition: selection and filter_public and context_ci
falsepositives:
  - Legitimate private registry usage in approved internal workflows
level: high
---
title: macOS Code Signature Validation Failure
id: a7b3c8d9-1e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects attempts to launch macOS applications that fail code signature validation, which may occur if a certificate is revoked or corrupted.
references:
  - https://attack.mitre.org/techniques/T1546.015/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1546.015
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    CommandLine|contains: 'codesign'
    CommandLine|contains: '-v'
    ExitCode: 1
  filter_generic:
    CommandLine|contains: 'DeepCopy' # Known false positive in some utils
condition: selection and not filter_generic
falsepositives:
  - Developers testing signing configurations
  - Corrupted application updates
level: medium

KQL (Microsoft Sentinel)

Hunt for evidence of the GitHub Actions compromise or the malicious npm package installation on Linux runners forwarding logs to Sentinel.

KQL — Microsoft Sentinel / Defender
// Hunt for NPM installs with custom registries on Linux/CI runners
DeviceProcessEvents
| where Timestamp > datetime(2026-03-30)
| where FileName has "npm"
| where ProcessCommandLine has "install"
| where ProcessCommandLine has "--registry"
| where ProcessCommandLine !has "registry.npmjs.org"
| extend RegistryUrl = extract("--registry\\s+([^\\s]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RegistryUrl, InitiatingProcessFileName
| sort by Timestamp desc

Velociraptor VQL

Hunt macOS endpoints for the presence of the OpenAI application and verify its code signing status to identify if the installed binary is affected by the revocation.

VQL — Velociraptor
-- Hunt for OpenAI macOS apps and check signature validity
SELECT 
  OSPath.Basename AS AppName,
  Mtime AS ModTime,
  
  -- Execute codesign to verify the binary
  exec("/usr/bin/codesign", args=["-dv", 
      "--verbose=4", 
      OSPath]).Stdout AS SignatureCheck,
  
  -- Check for specific revoked certificate hashes if known, otherwise look for 'code object is not signed'
  exec("/usr/bin/codesign", args=["-v", OSPath]).Stderr AS ValidationError
FROM glob(globs="/Applications/*.app")
WHERE AppName =~ "OpenAI" 
   OR AppName =~ "ChatGPT"

Remediation Script (Bash)

Run this script on macOS endpoints to verify the integrity of the OpenAI application and ensure it is signed with a valid, non-revoked certificate.

Bash / Shell
#!/bin/bash

# Remediation Script: Verify OpenAI macOS App Signature
# Author: Security Arsenal
# Date: 2026-04-06

APP_PATH="/Applications/OpenAI.app" # Adjust path if different
CURRENT_USER=$(stat -f "%Su" /dev/console)

if [ ! -d "$APP_PATH" ]; then
  echo "[INFO] OpenAI App not found at $APP_PATH. Checking for ChatGPT..."
  APP_PATH="/Applications/ChatGPT.app"
fi

if [ -d "$APP_PATH" ]; then
  echo "[AUDIT] Verifying signature for $APP_PATH"
  
  # Verify code signature
  if codesign -dv "$APP_PATH" 2>&1 | grep -q "valid on disk"; then
    echo "[SAFE] App signature is valid on disk."
    
    # Check specific certificate validity (Trust Store)
    if codesign -v "$APP_PATH" 2>&1; then
      echo "[SUCCESS] App passes all validation checks."
    else
      echo "[CRITICAL] App signature is valid but code failed verification (Possibly Revoked/Expired)."
      echo "[ACTION] Please update the application immediately."
      exit 1
    fi
  else
    echo "[WARNING] App is not signed or signature is corrupted."
    exit 1
  fi
else
  echo "[INFO] No OpenAI application found in /Applications."
fi

Remediation

  1. Update Application Immediately: OpenAI has likely released a new version of the macOS application signed with a new, valid certificate. Users must update to the latest version immediately to restore functionality and security.
  2. Verify Certificate Trust: Before running the updated application, inspect the code signature using: codesign -dvv /Applications/OpenAI.app Ensure the certificate validity period is current and issued by "Developer ID Application: OpenAI, Inc." (or the specific legitimate issuer).
  3. Audit GitHub Actions Workflows: If you are a developer or maintain CI/CD pipelines:
    • Review all .github/workflows/*.yml files.
    • Ensure npm install or package fetching steps do not allow unverified external registries.
    • Pin dependency versions in package-lock. or yarn.lock and commit these files to prevent dependency confusion.
    • Use Dependabot or similar tools to alert on malicious package versions.
  4. System Reboot: After updating the application, a system reboot is recommended to clear any cached revoked certificate states in the macOS kernel/amfid.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringsupply-chaingithub-actionsmacosopenai

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action