OpenAI says a GitHub workflow used to sign its macOS apps downloaded a malicious Axios library on March 31, but no user data or internal system was compromised (Sam Sabin/Axios)
Why it matters: OpenAI’s macOS app signing pipeline was briefly compromised, but no user data was exposed.
- OpenAI discovered its GitHub signing workflow pulled a compromised Axios package on March 31.
- Axios library was maliciously altered, yet the breach did not expose user data or internal systems.
- GitHub workflow used for macOS app signing was temporarily compromised, but no downstream impact was reported.
OpenAI revealed that a GitHub workflow used to sign its macOS apps unintentionally fetched a maliciously altered Axios library on March 31. The compromised download did not lead to any exposure of user data or internal systems, and the issue was contained quickly.
