OpenAI confirmed on Friday that one of its GitHub Actions pipelines, the one used to sign macOS applications and certify them as legitimate OpenAI software, downloaded and executed a compromised version of axios. That is the npm package, not the news outlet. The compromised version contained a remote access trojan planted by North Korean state hackers.

Reuters reported the disclosure. OpenAI revoked the affected macOS code-signing certificate. There is no evidence yet that any user-installed ChatGPT desktop app was tampered with. But the company that just spent the last six months marketing GPT-5.5 as the most secure model ever shipped just had its build infrastructure used as a delivery mechanism for a DPRK trojan.

How it actually happened

The npm package called axios is one of the most widely used HTTP clients in JavaScript. Over 100 million weekly downloads. It sits inside an enormous chunk of the modern web, including server-side tools, build pipelines, and developer infrastructure across nearly every tech company you have heard of.

On March 31, 2026, attackers hijacked the npm account of the package's lead maintainer. They locked the legitimate owner out, changed the contact email to a ProtonMail address, and pushed poisoned versions (1.14.1 and 0.30.4) directly to the public npm registry. For about three hours those versions were the official latest release. Anything that ran npm install during that window pulled malware. Quietly. Automatically.

Google's Threat Intelligence Group attributed the attack to UNC1069, a North Korean group active since 2018, mostly known for cleaning out crypto wallets. CISA put out a separate alert earlier this week telling every security team in America to scan their environments for the affected versions, rotate cloud keys and CI/CD secrets, and block outbound traffic to the attacker's command-and-control domain.

Why OpenAI matters here

Every Mac in the world that has the ChatGPT desktop app installed trusts a specific Apple Developer certificate that says, this binary came from OpenAI. That trust is what tells macOS to actually run the thing. The whole chain depends on the signing pipeline being clean.

OpenAI's pipeline ran a malicious axios. That means a foreign intelligence service had remote code execution inside the build environment that produces signed Apple binaries shipped to millions of users. Even if no shipped binary was actually tampered with, OpenAI had to assume worst case, revoke the cert, and rebuild trust.

The company says it acted before any malicious application could be distributed. Take that on faith if you want. The relevant fact is that a North Korean APT had access to the keys to the kingdom for some non-zero amount of time.

The bigger picture nobody wants to say out loud

This is the second AI-augmented or AI-adjacent supply chain story this week. On Thursday Vercel CEO Guillermo Rauch admitted attackers used a third-party AI tool, Context.ai, as the foothold to breach Vercel itself. Yesterday Google Cloud advisory chair Betsy Atkins went on Fox Business and called AI an insider threat that needs zero trust treatment.

Now OpenAI. Same week. Three independent confirmations that the AI infrastructure stack, the same stack that runs through every Fortune 500 procurement deck right now, has open doors that nobody has audited yet.

OpenAI is preparing to file paperwork for a Q4 IPO at an $852B valuation. This belongs in the S-1 risk factors. Anthropic just launched Project Glasswing with a hundred-million-dollar coalition of every major tech company specifically to harden cybersecurity. OpenAI just shipped a competing cybersecurity model called GPT-5.4-Cyber to the Five Eyes intelligence agencies a week ago. And the same company can't keep its own macOS build pipeline from executing a DPRK trojan.

There is a good story to be told here about transparency. OpenAI disclosed quickly. They revoked. They publicly confirmed. That is the playbook. Most companies hit by a UNC1069 supply chain attack would still be writing the press release.

But the lesson is uglier. AI labs are now the highest-value target on Earth. They sit inside every enterprise. They hold the API keys, the billing relationships, the inference for everything from your bank's fraud detection to the Pentagon's procurement pipeline. They are also software companies that depend on the same fragile open-source supply chain as everyone else. A single compromised npm maintainer, three hours of bad packages, and a state actor was inside one of the four most valuable AI companies in the world.

The attack surface for the next decade just got mapped. We are not going to like the results.

Sources: Reuters technology desk reporting (April 24, 2026), CISA advisory (April 22), Google Threat Intelligence Group attribution to UNC1069, Huntress and Truesec incident response analysis, OpenAI confirmation statement.