OpenAI has been impacted by a recent supply chain attack linked to North Korean hackers, affecting the widely used Axios JavaScript HTTP client library. The attack began when the NPM account of a lead Axios maintainer was compromised, leading to the publication of malicious packages that could download a cross-platform remote access Trojan (RAT). OpenAI’s investigation revealed that a malicious version of Axios was inadvertently downloaded during a workflow for signing macOS applications, including its products such as ChatGPT Desktop. Although the company believes its app-signing certificate has not been compromised, it has opted to revoke and rotate the certificate as a safety measure, effective May 8, 2026. Cybersecurity firms have noted the broad impact of the attack, with evidence of compromise found on numerous machines.

Axios: Axios is a widely used open-source promise-based HTTP client library for JavaScript in web browsers and Node.js environments. In late March 2026, attackers compromised a lead maintainer’s NPM account and published two malicious versions that deployed a cross-platform remote access trojan. The packages were detected and removed within hours but affected developer workflows and production systems including OpenAI’s.
OpenAI: OpenAI is an artificial intelligence company that develops large language models and applications including ChatGPT Desktop, Codex, Codex-cli, and Atlas. It was impacted by the recent Axios supply chain attack when a malicious version executed in a GitHub Actions workflow used for macOS app-signing. The company investigated, found no evidence of signing certificate compromise, but rotated it as a precaution with full revocation planned for May 8th, 2026.
UNC1069: UNC1069 is a North Korea-nexus financially motivated threat actor also tracked as CryptoCore or MASAN, active since at least 2018. It primarily targets cryptocurrency sectors but has expanded to software supply chain attacks, including social engineering a Axios maintainer to deploy malicious NPM packages with a RAT. Google Threat Intelligence linked it to this recent Axios incident.
North Korea: North Korea is a nation-state that sponsors cyber threat groups conducting financially motivated attacks and espionage. It has been attributed to the recent supply chain compromise of the Axios NPM package executed by UNC1069. Such operations often involve social engineering and targeting open-source software ecosystems.

Attack Vector: Compromise began with social engineering of an Axios NPM maintainer account, leading to publication of malicious packages via normal update channels.
Industry Response: Cybersecurity firms like Huntress and Wiz analyzed impacts, while OpenAI detailed remediation in a public blog post.
Malware Capability: Malicious Axios versions downloaded a cross-platform RAT operable on Windows, macOS, and Linux for potential credential harvesting and persistence.

Sources

• https://www.facebook.com/thejapantimes/posts/hackers-linked-to-north-korea-are-suspected-of-an-ambitious-attack-on-an-inconsp/1352586590240259
• https://www.linkedin.com/posts/chrisdlangton_axios-supply-chain-attack-reaches-openai-activity-7448584983931277312-BNYC
• https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html
• https://www.linkedin.com/posts/mandiant_google-threat-intelligence-group-is-tracking-activity-7445107711836352512-L-mZ
• https://www.cybersecuritydive.com/news/north-korea-remote-it-worker-ibm-flare/815063
• https://x.com/i/status/2039314910778208540
• https://www.japantimes.co.jp/news/2026/04/01/asia-pacific/crime-legal/north-korea-hackers-tool
• https://www.youtube.com/watch?v=2TJyKNzNhJc
• https://palweather.ps/ar/node/28701.html?y-news-29707633-2026-03-08-gamblingking-reports-no-new-developments-in-panama-gambling-industry-amid-challenges=
• https://x.com/i/status/2039115190197743788
• https://x.com/i/status/2042272395369623782
• https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering
• https://thrivenextgen.com/targeted-supply-chain-compromise-of-axios-npm-distribution-unc1069
• https://malpedia.caad.fkie.fraunhofer.de/actor/unc1069
• https://www.herodevs.com/blog-posts/the-axios-compromise-what-happened-what-it-means-and-what-you-should-do-right-now
• https://agentsofchaos.baulab.info/logs.html
• https://www.tenable.com/blog/faq-about-the-axios-npm-supply-chain-attack-by-north-korea-nexus-threat-actor-unc1069
• https://x.com/i/status/2041201388798066870
• https://cloudsmith.com/blog/axios-npm-attack-response
• https://socket.dev/blog/feross-on-tbpn-how-north-korea-hijacked-axios
• https://blog.dreamfactory.com/the-axios-npm-supply-chain-attack-a-complete-technical-analysis-of-the-maintainer-hijack-cross-platform-rat-and-enterprise-impact
• https://cloud.r-project.org/web/packages/available_packages_by_date.html
• https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
• https://exchange.xforce.ibmcloud.com/osint/guid:707e734da25c495daa80a04511b7f9de
• https://medium.com/@the_atomic_architect/axios-supply-chain-attack-package-json-risk-2ff3cbe10e80
• https://www.lord-enki.net/links.html
• https://techcrunch.com/2026/04/06/north-koreas-hijack-of-one-of-the-webs-most-used-open-source-projects-was-likely-weeks-in-the-making
• https://www.windowscentral.com/microsoft/windows/north-korea-axios-hack-teams-slack
• https://socket.dev/blog/axios-supply-chain-attack-reaches-openai-macos-signing-pipeline-forces-certificate-rotation
• https://www.facebook.com/etnow/posts/hackers-linked-to-north-korea-are-suspected-of-compromising-widely-used-software/1362396812585886
• https://go.o-geepaint.com/departments/epx2255-gear-box-857.html?y-news-26966068-2026-03-14-kaiserbet-impact-weather-conditions-european-airports=
• https://www.trendmicro.com/en_us/research/26/c/axios-npm-package-compromised.html
• https://appsec.fyi/ssrf.html
• https://cognitiveinheritance.com/Search/development.html
• https://securitylabs.datadoghq.com/articles/axios-npm-supply-chain-compromise
• https://en.wikipedia.org/wiki/Lazarus_Group
• https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2026-002
• https://x.com/SocketSecurity/status/2042814381226942907
• https://www.instagram.com/p/DW361W4jeLk
• https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package
• https://x.com/i/status/2041568551018906036
• https://thecyberexpress.com/axios-npm-supply-chain-attack-escalating
• https://www.endorlabs.com/learn/npm-axios-compromise
• https://hivepro.com/threat-advisory/unc1069-social-engineering-operations-focused-on-crypto-sector
• https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/north-korea
• https://x.com/i/status/2043416640038076919
• https://cran.r-project.org/web/packages/available_packages_by_date.html
• https://support.onelogin.com/kb/4382681/axios-npm-supply-chain-compromise-march-2026
• https://repello.ai/blog/axios-npm-supply-chain-attack
• https://www.nakedcapitalism.com/2024/11/links-11-30-2024.html
• https://www.reddit.com/r/cybersecurity/comments/1rbgueh/gitlab_exposes_north_korean_hackers_contagious
• https://www.bbc.com/news/articles/cwy8z7wxe03o
• https://www.reddit.com/r/pcmasterrace/comments/1s8m3vr/one_of_javascripts_most_popular_libraries
• https://www.scworld.com/news/axios-maintainers-post-mortem-confirms-social-engineering-by-unc1069
• https://www.reddit.com/r/AIGuild/comments/1sjy8p9/securing_the_app_openai_responds_to_the_axios