OpenAI - North Korea-Linked Axios Supply Chain Hack Impact
High severity — significant development or major threat actor activity
Basically, hackers linked to North Korea attacked OpenAI through a software supply chain issue.
OpenAI is responding to a supply chain attack linked to North Korean hackers through Axios. This breach may affect many users relying on the library. OpenAI is taking steps to secure its software and protect its users.
What Happened
OpenAI has disclosed that it was affected by a supply chain attack involving Axios, a popular JavaScript library. The attack, attributed to North Korean hackers, compromised the NPM account of a lead Axios maintainer. This led to the publication of two malicious NPM packages that could download and execute a Remote Access Trojan (RAT) on various operating systems, including Windows, macOS, and Linux.
Who's Affected
The attack potentially impacted many organizations using Axios, which boasts over 100 million weekly downloads. Security firm Huntress reported evidence of compromise on 135 machines, while cloud security company Wiz noted that the malicious version was executed in 3% of affected environments. OpenAI was one of the significant organizations affected, as it utilizes Axios in its software development processes.
What Data Was Exposed
The malicious packages were designed to execute code that could compromise systems. OpenAI's investigation revealed that a GitHub Actions workflow used in their macOS app-signing process downloaded a malicious version of Axios (version 1.14.1). This workflow had access to sensitive signing certificates, which could potentially be exploited to sign malicious software as if it were legitimate OpenAI products.
What You Should Do
In response to the incident, OpenAI has taken precautionary measures, including revoking and rotating its signing certificate. They have stopped new software notarizations using the old certificate, ensuring that any unauthorized software signed with it will be blocked by macOS security protections. Users are advised to remain vigilant and ensure they are using the latest versions of software to avoid potential exploits linked to this attack.
What’s Next
OpenAI plans to fully revoke the compromised certificate by May 8th, 2026. This proactive step aims to mitigate any risks associated with the potential misuse of the certificate. The incident highlights the ongoing threat posed by supply chain attacks and the need for organizations to strengthen their security protocols to protect against such vulnerabilities.
🔍 How to Check If You're Affected
- 1.Check for unauthorized Axios package installations in your projects.
- 2.Review GitHub Actions workflows for any suspicious activity.
- 3.Ensure that your software is signed with the latest certificates.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: This incident underscores the critical need for robust supply chain security measures in software development environments.