On March 31, a GitHub Actions workflow that OpenAI uses to sign its macOS apps downloaded a poisoned version of Axios, the popular JavaScript HTTP library. Version 1.14.1 had been compromised as part of a wider supply chain attack. The workflow had access to code signing certificates for ChatGPT Desktop, Codex, Codex CLI, and Atlas. That's the material that lets someone distribute malware dressed up as legitimate OpenAI software.
OpenAI's forensic review found no evidence that certificates were stolen, user data was accessed, or software was modified. But they're rotating the certificates anyway, publishing new builds, and working with Apple to block new notarizations using the old keys. macOS users need to update by May 8. After that, older versions stop working.
The root cause was straightforward. The GitHub Actions workflow used a floating tag instead of pinning a specific commit hash, and lacked a minimumReleaseAge check. That's a setting that refuses to install packages until they've been public for a set time, giving maintainers a window to catch tampering. Basic supply chain hygiene that plenty of teams skip. On Hacker News, reactions were mixed. Some appreciated the detailed post-mortem. Others noted the blog post came 10 days after the incident, with user notification emails arriving another 11 days later.
This attack pattern will keep showing up. Axios is everywhere, making it a prime target for poisoning CI/CD pipelines at scale. The attackers weren't exploiting a bug in Axios. They wanted to hijack build processes of high-profile targets. It worked well enough to expose OpenAI's signing infrastructure. Whether Axios is necessary in 2026 with native fetch APIs is almost beside the point. What matters is how many critical systems still pull dependencies by floating version tags.