OpenAI GitHub Actions Workflow Compromised by Malicious Axios Package
OpenAI disclosed on April 13, 2026, that attackers successfully compromised one of their GitHub Actions workflows through a malicious version of the popular Axios HTTP client library. The attack specifically targeted OpenAI's macOS application build pipeline, where the compromised package executed during the automated code-signing process. Security researchers at Hackread first reported the incident after analyzing suspicious network traffic from OpenAI's build infrastructure.
The malicious Axios package, identified as version 1.6.8-malicious, contained obfuscated JavaScript code designed to exfiltrate environment variables and secrets from the GitHub Actions runner environment. The package maintained full compatibility with legitimate Axios functionality to avoid detection during automated testing. Attackers uploaded the compromised package to the npm registry using a technique called dependency confusion, where they registered a package name similar to an internal OpenAI dependency.
OpenAI's security team detected the breach when their automated monitoring systems flagged unusual outbound network connections from their macOS build environment. The malicious package was attempting to transmit base64-encoded data to a command-and-control server hosted on a compromised WordPress site. Analysis revealed the package had been active in OpenAI's build pipeline for approximately 72 hours before detection, during which time it had access to code-signing certificates, API keys, and other sensitive build artifacts.
The attack represents a sophisticated supply chain compromise targeting one of the world's most prominent AI companies. Security experts noted the attackers demonstrated deep knowledge of OpenAI's build processes and specifically crafted the malicious package to target macOS certificate infrastructure. The incident occurred during a period of heightened scrutiny around AI company security practices, following recent regulatory guidance from CISA regarding AI system protection.
macOS Users and OpenAI Application Ecosystem at Risk
The compromise primarily affects users of OpenAI's macOS applications, including the ChatGPT desktop client and any internally distributed macOS tools that rely on the potentially exposed code-signing certificates. Approximately 2.3 million macOS users have downloaded OpenAI applications in the past six months, according to App Store analytics. The exposed certificates could theoretically allow attackers to sign malicious applications that would appear legitimate to macOS Gatekeeper security controls.
Enterprise customers using OpenAI's macOS applications in corporate environments face particular risk, as compromised certificates could enable attackers to bypass organizational security policies that rely on code-signing verification. Organizations that have whitelisted OpenAI applications based on their digital signatures must now update their security policies to account for the certificate rotation. The security advisory from The Hacker News indicates that no evidence suggests the certificates were used maliciously, but the potential for abuse required immediate revocation.
GitHub Actions users across the broader ecosystem also face indirect risk, as the attack demonstrates how supply chain vulnerabilities can compromise even well-secured CI/CD pipelines. The incident has prompted security teams at major technology companies to audit their own GitHub Actions workflows for similar dependency confusion vulnerabilities. Security researchers estimate that over 15,000 GitHub repositories use similar Axios dependency patterns that could be susceptible to comparable attacks.
Certificate Revocation and Enhanced Security Measures Implemented
OpenAI immediately revoked all potentially compromised macOS code-signing certificates and generated new signing keys using hardware security modules (HSMs) to prevent future exposure. The company implemented certificate pinning for their macOS applications and added additional verification steps to their GitHub Actions workflows. Users of OpenAI macOS applications will receive automatic updates with new certificates through the standard macOS update mechanism, requiring no manual intervention.
To prevent similar attacks, OpenAI has implemented several security enhancements to their build pipeline. They've added dependency verification using npm audit and Snyk scanning for all package installations in GitHub Actions workflows. The company also implemented network segmentation for build environments, restricting outbound connections to approved destinations only. Additionally, they've deployed runtime application self-protection (RASP) tools to monitor for suspicious behavior during the build process.
Organizations using OpenAI macOS applications should verify they're running the latest versions with updated certificates by checking the application's digital signature in System Preferences > Security & Privacy. IT administrators can use the 'spctl' command-line tool to verify certificate validity: 'spctl -a -v /Applications/ChatGPT.app' will display current signing information. Companies should also review their application whitelisting policies and update them to recognize the new OpenAI certificates while removing trust for the revoked ones.
The incident has prompted OpenAI to enhance their supply chain security practices, including implementing Software Bill of Materials (SBOM) generation for all builds and requiring multi-party approval for dependency updates. They've also established a bug bounty program specifically focused on supply chain vulnerabilities, offering rewards up to $100,000 for critical findings. Security teams industry-wide are using this incident as a case study for improving their own CI/CD security postures and dependency management practices.
