OpenAI Pulls macOS Signing Cert After Axios Supply Chain Compromise

OpenAI revoked the Apple Developer ID certificate used to sign its macOS application following a supply chain incident traced to a malicious version of the widely-used Axios HTTP client library. The compromised dependency made its way into a build path that touched OpenAI’s signed Mac binary, prompting the certificate revocation as a containment step to prevent any tampered artifacts from being trusted by macOS Gatekeeper on user machines.

The incident underscores how a single poisoned npm package can ripple into the signing infrastructure of major vendors. Axios sits deep in the JavaScript ecosystem with hundreds of millions of weekly downloads, and any malicious version published under a trusted name has a wide blast radius before detection and takedown. Revoking the certificate forces a re-sign of legitimate builds and invalidates anything that may have been signed during the compromise window.

For defenders, the takeaway is the usual one applied harder: lockfile integrity checks, pinned versions with hash verification, isolated build environments, and signing keys that never sit on machines that pull arbitrary npm dependencies. Treating the build pipeline as part of the attack surface — not just the shipped product — is the only posture that survives this class of incident.