OpenAI recently disclosed a security incident involving its macOS app-signing process, where the malicious Axios library was inadvertently downloaded on March 31. The company assured that no user data or internal systems were compromised. The breach was linked to a North Korean hacking group, UNC1069, which hijacked the npm package to disseminate malicious versions containing a backdoor malware named WAVESHAPER.V2. OpenAI is treating its macOS signing certificate as compromised, revoking it and halting updates for older app versions starting May 8, 2026. The company is collaborating with Apple to ensure that applications signed with the old certificate can’t be notarized. This incident is part of a broader trend of supply chain attacks that also affected Trivy, leading to multiple security breaches across the software ecosystem. Developers are advised to adopt stringent security measures, including the use of verified dependencies and enhanced authentication protocols, to combat potential vulnerabilities in supply chains.
Source link
