OPENAI has revoked and rotated its macOS app signing certificate after a malicious Axios supply-chain incident, saying the signing certificate used in a GitHub Actions workflow that signs macOS apps was likely compromised but that no user data or internal systems were breached. According to OpenAI, Axios version 1.14.1 was downloaded and executed by the workflow on March 31, and the poisoned packages 1.14.1 and 0.30.4 carried a backdoor named WAVESHAPER.V2 that affected Windows, macOS and Linux.
The attack is linked to the North Korean-linked UNC1069 threat actors, with Google Threat Intelligence Group attributing the Axios supply-chain compromise to that group. As a remediation, OpenAI will revoke and rotate the certificate, and older versions of its macOS desktop apps will no longer receive updates or support starting 8 May 2026, with apps signed by the previous certificate blocked by macOS protections unless explicitly bypassed.
The company is also working with Apple to ensure software signed with the old certificate cannot be newly notarised, and has warned that apps signed under the compromised certificate could be blocked by default.