Axios poisoning incident affects OpenAI; four Mac apps urgently re-signed

Axios npm package suffers a supply chain poisoning; malicious code infiltrates the OpenAI macOS app signing process via GitHub Actions. OpenAI urgently replaced its certificates and requires users to update four apps — ChatGPT, Codex, and others — by May 8.
Axios Supply-Chain Poisoning Impacts OpenAI: Four Mac Apps Urgently Re-Signed
OpenAI issued a security bulletin yesterday (April 10), admitting that its macOS app signing process was affected by the Axios supply-chain attack. The company urges all Mac users to promptly update four applications—ChatGPT, Codex, Atlas, and Codex CLI. If you haven’t updated by May 8, macOS Gatekeeper will block the launch of older versions directly.
This was not a targeted attack on OpenAI, but OpenAI indeed fell into the trap—quite typically, too.

What Exactly Happened
The story starts at the end of March.
Around March 31, two poisoned Axios versions appeared on npm: axios@1.14.1 and axios@0.30.4. Attackers embedded remote-control code—a RAT (Remote Access Trojan)—into these versions. Any project that fetched them during CI/CD builds may have executed malicious code during the build process.
Axios needs no introduction. Almost every JavaScript developer has used it; it has over 50 million weekly downloads on npm. It’s the most mainstream HTTP client library in both frontend and Node.js ecosystems, similar in status to requests in Python. Precisely because it’s so widely used, it’s an ideal target for supply-chain attacks.
The attacker’s method wasn’t new but remained effective: they somehow obtained npm publishing access (the exact method is not fully disclosed, but the industry suspects leaked credentials or hijacked npm accounts), then released malicious versions disguised as normal updates. Version 1.14.1 followed the last stable version closely—so if your package.json specified ^1.14.0 or similar loose ranges, npm install automatically pulled the poisoned version.
That’s exactly how OpenAI got hit.
How OpenAI Fell into the Trap
OpenAI’s macOS app signing workflow runs on GitHub Actions. This CI pipeline installs dependencies during builds—including Axios. On March 31, due to a configuration flaw, the workflow pulled and executed axios@1.14.1—the poisoned version.
Keyword here: configuration flaw.
OpenAI didn’t specify the flaw, but based on common CI/CD security issues, it was likely one of these:
- Dependencies not locked (no lockfile, or CI ignored it)
- Using
npm installinstead ofnpm ciin GitHub Actions - No integrity checks on dependencies (e.g., didn’t enable npm’s
--ignore-scriptsor runnpm auditbefore install)
These issues are widespread. Many teams set up CI pipelines early and rarely audit them again—especially signing workflows, which often become “set and forget” blind spots in security reviews.
Executing malicious code during signing theoretically exposes signing certificates and keys. That’s the most serious part—not because damage has occurred, but because certificate compromise would allow attackers to sign fake apps that macOS would treat as legitimate OpenAI software.
OpenAI’s Response: No Breach, But Treating It as One
OpenAI clearly stated in its bulletin: There is currently no evidence that any user data was accessed or software tampered with.
However, they chose a conservative approach—treating the certificates as if compromised.
Specific actions include:
- Revoking old code-signing certificates and issuing new ones
- Re-signing affected apps with new certificates
- Working with Apple to block notarization requests using old certificates
- Starting May 8, macOS will block apps signed with old certificates
This is the right approach. In security response, “no evidence of exploitation” ≠ “confirmed not exploited.” The former means you haven't found signs yet; the latter requires full forensic analysis. OpenAI chose not to gamble and replaced the certificate outright—a responsible decision.
Affected applications:
| App Name | Type | |-----------|------| | ChatGPT | macOS desktop client | | Codex | Code assistant tool | | Atlas | Internal/enterprise tool | | Codex CLI | Command-line tool |
Users should download the latest versions from OpenAI’s official channels before May 8. After that date, older versions will be blocked by macOS Gatekeeper and won’t launch.
Supply-Chain Attacks: Old Problem, New Severity
This isn’t the first npm ecosystem incident.
The 2021 ua-parser-js attack, the 2022 colors.js and faker.js issues, and the 2024 xz-utils backdoor—all show supply-chain attacks are becoming more frequent and more severe. But the Axios poisoning stands out for several reasons:
First, its reach is vast. Axios isn’t a niche tool—it’s infrastructure-level for JavaScript. A poisoned Axios means countless CI/CD pipelines worldwide unknowingly executing malicious code.
Second, the attack targets build-time rather than runtime. Traditional malicious packages focus on runtime—stealing env vars, uploading sensitive files, etc. This Axios attack mainly compromised build pipelines. Build environments typically have higher privileges—signing certs, deployment keys, cloud credentials—and leaking those is far worse than a few stolen tokens.
Third, version mimicry is more sophisticated. 1.14.1 fits perfectly into the normal version progression, making automation and manual review slow to notice any anomaly.
For developers, this incident reaffirms an old but still often ignored rule: Lock your dependency versions.
What Developers Should Do
Not only OpenAI users should care. If your project depends on Axios, check these immediately:
1. Check if You’re Using Poisoned Versions
# Check installed axios version
npm ls axios
# If you see 1.14.1 or 0.30.4, act now
# Downgrade to a safe version
npm install axios@1.14.0
2. Lock dependency versions
In package.json, change the Axios version range to a fixed version:
{
"dependencies": {
"axios": "1.14.0"
}
}
Or better yet, ensure package-lock.json or yarn.lock is committed, and use npm ci instead of npm install in CI:
# GitHub Actions Example
steps:
- name: Install dependencies
run: npm ci # strictly follows lockfile, no auto upgrades
3. Audit your CI/CD pipelines for dependency safety
# Run npm’s built-in security audit
npm audit
# Or if using yarn
yarn audit
4. Consider Using Socket.dev or Similar Tools
Socket.dev can detect suspicious behavior in dependency changes at PR stage (like new network or filesystem access), providing far stronger supply-chain defense than plain vulnerability scanning.
Impact on API Users
If you access OpenAI services via API, this incident doesn’t directly affect you—the signing process for macOS apps is impacted, not server-side APIs.
But it highlights an often-overlooked fact: the HTTP client library in your own API code can also be an attack vector.
If you use Axios to call OpenAI or other AI APIs, confirm your Axios version is safe. For example:
import openai
client = openai.OpenAI(
api_key="your-openai-hub-key",
base_url="https://api.openai-hub.com/v1"
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Explain common methods of npm supply-chain attacks"}]
)
print(response.choices[0].message.content)
If you’re using Node.js and handling HTTP requests yourself instead of official SDK:
// Ensure axios version is safe
import axios from 'axios'; // must not be 1.14.1 or 0.30.4
const response = await axios.post(
'https://api.openai-hub.com/v1/chat/completions',
{
model: 'claude-sonnet-4-20250514',
messages: [{ role: 'user', content: 'Analyze the impact scope of Axios supply-chain attacks' }]
},
{
headers: {
'Authorization': 'Bearer your-openai-hub-key',
'Content-Type': 'application/json'
}
}
);
console.log(response.data.choices[0].message.content);
OpenAI Hub is compatible with OpenAI’s standard API format, so whether you use Python SDK or direct HTTP requests, the interface isn’t affected. But ensuring dependency security is your own responsibility as a developer.
The Bigger Picture: Supply-Chain Security for AI Companies
This incident exposes more than a dependency mistake—it shows the growing security debt across the fast-moving AI industry.
OpenAI, one of the world’s highest-valued AI companies, undoubtedly has top engineering talent. Yet even they had a “configuration flaw” in the CI/CD pipeline—indicating the issue is one of priority, not capability.
When everyone’s racing to scale models and ship features, hardening the build process often gets deprioritized. Certificate management, dependency locking, CI isolation—these aren’t flashy, but if neglected, they endanger user trust at scale.
To OpenAI’s credit, the response was prompt and transparent. From detection to public disclosure, certificate rotation, and coordination with Apple—all completed within two weeks. The bulletin didn’t downplay severity and advised users to act under a worst-case (“certificate leaked”) assumption.
By contrast, many firms delay disclosure for weeks or months pending internal scoping. OpenAI’s approach serves as a positive example of responsible incident response.
Timeline Overview
| Date | Event | |------|--------| | Mar 31 | Malicious axios@1.14.1 published to npm | | Mar 31 | OpenAI’s GitHub Actions workflow pulled and executed the malicious version | | Early Apr | Axios supply-chain attack discovered and publicized by security community | | Apr 10 | OpenAI released security bulletin, began certificate replacement | | May 8 | macOS to block apps signed with old certificates |
Final Thoughts
Supply-chain security isn’t new, yet every incident reminds us that we’re far from solving it. npm’s trust model assumes maintainers are reliable—but time and again that assumption proves fragile.
For individual developers, the actions are clear: lock dependencies, audit CI/CD, stay alert to security announcements. These aren’t hard—but they must become habit.
For macOS users running OpenAI apps—update now. Don’t wait until May 8 when your apps stop launching.
References:
- ITHome: OpenAI responds to Axios tool security incident, urges Mac users to update ChatGPT and other apps — detailed report and official OpenAI bulletin
- GitHub - tanjiti/sec_profile: Security News Aggregator — includes analysis reports on the Axios npm supply-chain poisoning attack



