OpenAI disclosed that a GitHub Actions workflow used for signing its macOS apps unintentionally downloaded a malicious version of the Axios npm package as part of a supply chain attack linked to North Korean hackers, but affirmed no user data or internal systems were compromised. In response, OpenAI revoked and rotated the affected signing certificate, blocking older app versions and coordinating with Apple to prevent further notarizations with the compromised certificate, highlighting the growing threat and complexity of software supply chain attacks.
https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html

