North Korea Hijacked Axios to Hit OpenAI's Mac Code-Signing Keys

On the morning of March 31, 2026, a developer named Jason Saayman woke up to find out he had been completely deceived by one of the most sophisticated social engineering operations ever aimed at an open source software maintainer. By the time he realized what had happened, a backdoor linked to North Korea had already been live on the npm registry for nearly three hours. And during those three hours, it had already touched OpenAI's application signing pipeline.

The package at the center of this story is Axios. If you have written any JavaScript in the last decade, you have almost certainly used it. With over 100 million weekly downloads for version one alone, Axios is the HTTP client library that a substantial fraction of the modern web depends on. It handles how countless applications make network requests. And for a brief window that morning, a North Korean threat actor owned the account that publishes it.

The group responsible was identified and attributed by Google's Threat Intelligence Group under the designation UNC1069, a North Korean-nexus organization that has been tracked as active since at least 2018. Microsoft independently tracks the same group as Sapphire Sleet, also known as BlueNoroff and CryptoCore. This group has historically focused on financial theft and cryptocurrency, but Axios shows they will target software infrastructure when the downstream access is valuable enough.

To get into Saayman's npm account, they did not exploit a zero-day vulnerability or break any encryption. They ran a methodical, long-running social engineering campaign. The operation involved constructing an entirely fake company, complete with a LinkedIn presence, a Slack workspace branded with the fake firm's continuous integration tooling, and active channels posting content to appear lived in over time. They cloned the identity of real company founders. Then they invited Saayman to a meeting.

Saayman later described the experience in a detailed post-mortem published to the official Axios GitHub repository. "They had cloned the company's founders' likeness as well as the company itself. They invited me to a real Slack workspace. This workspace was branded to the company's CI and named in a plausible manner. The Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn posts."

He added: "Everything was extremely well coordinated, looked legit, and was done in a professional manner."

When the maintainer of one of the world's most downloaded packages describes an attack as extremely well coordinated and professional, that tells you the level of investment UNC1069 put into this access. It was a theater production built to earn the trust of exactly one person. And it worked.

That investment paid off. UNC1069 obtained Saayman's npm credentials and published two malicious versions of Axios: version 1.14.1 targeting the v1.x branch, and version 0.30.4 targeting the older 0.x branch. Those version numbers were not chosen randomly. They sat just above the latest stable releases in each branch, making them the natural pick for any automated dependency update tool scanning for newer versions. The attack was designed to be pulled in automatically.

Here is what those packages actually contained. Buried inside each one was a dependency that does not exist in the legitimate Axios project: a package called plain-crypto-js, version 4.2.1. That package was the delivery mechanism for a cross-platform backdoor that Google's researchers named WAVESHAPER.V2. The backdoor ran on Windows, macOS, and Linux. It established a connection back to a command-and-control server over TCP port 8000, and its designed purpose was data exfiltration. Once installed, it gave attackers a persistent remote foothold on any machine that had run the affected package.

The malicious versions stayed live on npm for approximately 3 hours before being identified and removed. But automated build pipelines do not wait for morning briefings. In three hours, a CI system can execute dozens of times.

Which brings us to OpenAI.

During that window, a GitHub Actions workflow running inside OpenAI's macOS application code-signing pipeline executed and pulled in Axios version 1.14.1, the malicious version. That specific workflow was responsible for signing four OpenAI applications: ChatGPT Desktop, Codex, Codex CLI, and Atlas. By downloading the poisoned package, the pipeline had exposed the code-signing certificate used to verify all four of those applications to potential theft.

The failure that made this possible comes down to two missing safeguards. First, OpenAI's workflow was using a floating version tag rather than a pinned commit hash. Instead of specifying exactly which version of Axios to use at a fixed, verified point in time, the workflow simply said: give me the latest available version. Second, the workflow had no minimum release age policy. That is a control that holds any newly published package version in a waiting period before a production pipeline can consume it. Without both of those safeguards in a certificate-signing pipeline, you are one malicious npm publish away from exactly what happened here.

Pinning dependencies to specific commit hashes rather than floating version tags has been standard supply chain security guidance since the 2020 SolarWinds incident. Engineers and security researchers on Hacker News were pointed in their response: how does a company with OpenAI's resources end up with a floating version tag in the pipeline that handles its most sensitive application certificates?

OpenAI published its formal incident response on April 11, 2026. The company reported that forensic analysis found the code-signing certificate was LIKELY not successfully exfiltrated. No evidence was found that user data was accessed or that any software distributed to users was actually altered. Job sequencing within the pipeline may have prevented WAVESHAPER.V2 from completing its exfiltration objective.

But "likely not" is not a sufficient threshold when you are talking about a certificate used to sign software distributed to millions of users. A stolen signing certificate could let an attacker distribute software that macOS treats as legitimate and verified. OpenAI announced it would fully revoke the exposed certificate on May 8, 2026. After that date, macOS security protections will BLOCK any application still signed with the old certificate. Every user of those 4 apps, ChatGPT Desktop, Codex, Codex CLI, and Atlas, must update before that deadline or their applications will stop running.

Now widen the frame. Axios version one had 100 million weekly downloads at the time of the compromise. The second malicious version targeted the 0.x branch, which itself had 83 million weekly downloads. Public reporting has not produced a comprehensive list of affected organizations beyond OpenAI; some may not yet know.

The framing that circulated most widely in the security community after this event was pointed: North Korea did not hack OpenAI. They hacked Axios. OpenAI's disclosure attracted attention because OpenAI is the most recognizable name, but that coverage pulled focus from a structural problem no single organization can solve.

Jason Saayman is one person. He maintains a package with over 100 million weekly downloads. He was not protected by a corporate security team monitoring for suspicious npm publish events. He was not operating under a policy requiring hardware security keys for registry access. He was a skilled developer doing his best, and one of the most capable state-sponsored threat actor groups in this domain spent significant time and resources running a targeted deception campaign against him specifically. Not because he is careless. Because he is a SINGLE POINT OF FAILURE for global software infrastructure, and his attackers understood that perfectly.

This is the same structural vulnerability that the 2024 XZ Utils backdoor exposed, where a lone trusted maintainer was socially engineered over the course of two years. The Axios attack was faster and more technically direct, but the root cause is the same: critical open source infrastructure maintained by a single individual, without the monitoring or organizational resources that a funded team would have.

Charles Carmakal, Chief Technology Officer at Mandiant Consulting at Google, addressed the broader picture directly. "The number of recent software supply chain attacks is overwhelming. Defenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future attacks."

CISA issued a formal advisory on April 20, 2026, three weeks after the malicious packages had already been removed from npm. The advisory recommended mandating phishing-resistant multi-factor authentication on all developer accounts, configuring npm with ignore-scripts=true to block malicious install-time script execution, and enforcing a minimum package release age of seven days before any new version enters a production pipeline. All three recommendations are technically sound. All three arrived three weeks after the window during which they would have mattered in this case.

Saayman closed his post-mortem with a passage that received wide attention across the developer community. "It is sad to me that zero trust can be put in people as my only objective is to create useful things with code but it seems like the world is strongly against that with someone trying to steal / exploit something at every corner. My countries philosophy is 'Ubuntu' - 'I am because we are' or 'humanity towards others.' I hope that more can embrace that in the future."

That is a painful statement from a person who has been the target of a state-sponsored operation. The security posture that would have stopped this attack, hardware MFA on npm accounts, pinned and audited dependencies, automated anomaly detection on new package publishes, none of that can reasonably be expected of a solo maintainer working without organizational backing. It requires resources. Companies generating billions on top of Saayman's library owe the open source infrastructure beneath them a more meaningful investment.

The May 8, 2026 update deadline for OpenAI's Mac users is the visible, immediate, concrete problem. Update your apps before that date. The larger and more durable problem is whether this incident actually shifts how the software industry treats the single-maintainer open source packages it depends on. That answer will not come from CISA advisories. It will come from what major software companies decide to fund, require, and take responsibility for. Right now, somewhere, another developer is probably getting an invite to a very professional-looking Slack workspace.