OPENAI ROTATES MACOS CERTS AFTER AXIOS SUPPLY CHAIN HIT

The attack leveraged a malicious version of the Axios HTTP library to execute unauthorized code during OpenAI's build process. The compromised package was pulled into the company's CI/CD pipeline, potentially exposing code-signing credentials used to validate macOS applications. Code-signing certificates are critical security infrastructure—they authenticate software as legitimate and prevent tampering. If attackers obtained these credentials, they could sign malicious macOS applications that would appear trusted to users and systems. OpenAI's response involved rotating the affected certificates to prevent their continued misuse. The incident highlights persistent vulnerabilities in software supply chains, where attackers can compromise popular open-source dependencies to reach high-profile targets. The attack underscores the importance of hardening CI/CD security, including limiting credential access, monitoring dependency updates, and implementing strict code review practices. OpenAI has not disclosed whether any signed malicious code was distributed before the certificates were revoked.