News
OpenAI Supply Chain Attack — North Korean Hackers Compromised macOS App Signing via Axios Library
A supply chain attack attributed to UNC1069 (North Korea-nexus threat actor) compromised the Axios JavaScript library (v1.14.1), which was used in OpenAI's macOS app-signing GitHub Actions workflow. The attack exposed code-signing certificates for ChatGPT Desktop, Codex, and Atlas. OpenAI revoked certificates and set a May 8 deadline for all macOS users to update. Root cause: a misconfigured workflow using floating tags instead of pinned commit hashes.
Source
↳ Follow the thread