=== TAG ===
Cybersecurity
=== HEADLINE ===
North Korea Hijacked Axios to Hit OpenAI's Mac Code-Signing Keys
=== META_DESC ===
On March 31, 2026, North Korean hackers (UNC1069) hijacked the Axios npm package—100M weekly downloads—and planted a backdoor that reached OpenAI’s macOS code-signing pipeline. OpenAI revokes the exposed certificate May 8; all Mac users must update ChatGPT Desktop, Codex, and Atlas.
=== DATE ===
May 1, 2026
=== AUTHOR ===
Jane Sterling
=== READ_TIME ===
9-minute read
=== HERO_IMG ===
img/content.png
=== SCRIPT_LABEL ===
Video Script (9 min, clean transcript for captioning)
=== SCRIPT ===
On the morning of March 31, 2026, a developer named Jason Saayman woke up to find out he had been completely deceived by one of the most sophisticated social engineering operations ever aimed at an open source software maintainer. By the time he realized what had happened, a backdoor linked to North Korea had already been live on the npm registry for nearly three hours. And during those three hours, it had already touched OpenAI's application signing pipeline.
The package at the center of this story is Axios. If you have written any JavaScript in the last decade, you have almost certainly used it. With over 100 million weekly downloads for version one alone, Axios is the HTTP client library that a substantial fraction of the modern web depends on. It handles how countless applications make network requests. And for a brief window that morning, a North Korean threat actor owned the account that publishes it.
The group responsible was identified and attributed by Google's Threat Intelligence Group under the designation UNC1069, a North Korean-nexus organization that has been tracked as active since at least 2018. Microsoft independently tracks the same group as Sapphire Sleet, also known as BlueNoroff and CryptoCore. This group has historically focused on financial theft and cryptocurrency, but Axios shows they will target software infrastructure when the downstream access is valuable enough.
To get into Saayman's npm account, they did not exploit a zero-day vulnerability or break any encryption. They ran a methodical, long-running social engineering campaign. The operation involved constructing an entirely fake company, complete with a LinkedIn presence, a Slack workspace branded with the fake firm's continuous integration tooling, and active channels posting content to appear lived in over time. They cloned the identity of real company founders. Then they invited Saayman to a meeting.
Saayman later described the experience in a detailed post-mortem published to the official Axios GitHub repository. "They had cloned the company's founders' likeness as well as the company itself. They invited me to a real Slack workspace. This workspace was branded to the company's CI and named in a plausible manner. The Slack [workspace] was thought out very well; they had channels where they were sharing LinkedIn posts."
He added: "Everything was extremely well coordinated, looked legit, and was done in a professional manner."
When the maintainer of one of the world's most downloaded packages describes an attack as extremely well coordinated and professional, that tells you the level of investment UNC1069 put into this access. It was a theater production built to earn the trust of exactly one person. And it worked.
That investment paid off. UNC1069 obtained Saayman's npm credentials and published two malicious versions of Axios: version 1.14.1 targeting the v1.x branch, and version 0.30.4 targeting the older 0.x branch. Those version numbers were not chosen randomly. They sat just above the latest stable releases in each branch, making them the natural pick for any automated dependency update tool scanning for newer versions. The attack was designed to be pulled in automatically.
Here is what those packages actually contained. Buried inside each one was a dependency that does not exist in the legitimate Axios project: a package called plain-crypto-js, version 4.2.1. That package was the delivery mechanism for a cross-platform backdoor that Google's researchers named WAVESHAPER.V2. The backdoor ran on Windows, macOS, and Linux. It established a connection back to a command-and-control server over TCP port 8000, and its designed purpose was data exfiltration. Once installed, it gave attackers a persistent remote foothold on any machine that had run the affected package.
The malicious versions stayed live on npm for approximately 3 hours before being identified and removed. But automated build pipelines do not wait for morning briefings. In three hours, a CI system can execute dozens of times.
Which brings us to OpenAI.
During that window, a GitHub Actions workflow running inside OpenAI's macOS application code-signing pipeline executed and pulled in Axios version 1.14.1, the malicious version. That specific workflow was responsible for signing four OpenAI applications: ChatGPT Desktop, Codex, Codex CLI, and Atlas. By downloading the poisoned package, the pipeline had exposed the code-signing certificate used to verify all four of those applications to potential theft.
The failure that made this possible comes down to two missing safeguards. First, OpenAI's workflow was using a floating version tag rather than a pinned commit hash. Instead of specifying exactly which version of Axios to use at a fixed, verified point in time, the workflow simply said: give me the latest available version. Second, the workflow had no minimum release age policy. That is a control that holds any newly published package version in a waiting period before a production pipeline can consume it. Without both of those safeguards in a certificate-signing pipeline, you are one malicious npm publish away from exactly what happened here.
Pinning dependencies to specific commit hashes rather than floating version tags has been standard supply chain security guidance since the 2020 SolarWinds incident. Engineers and security researchers on Hacker News were pointed in their response: how does a company with OpenAI's resources end up with a floating version tag in the pipeline that handles its most sensitive application certificates?
OpenAI published its formal incident response on April 11, 2026. The company reported that forensic analysis found the code-signing certificate was LIKELY not successfully exfiltrated. No evidence was found that user data was accessed or that any software distributed to users was actually altered. Job sequencing within the pipeline may have prevented WAVESHAPER.V2 from completing its exfiltration objective.
But "likely not" is not a sufficient threshold when you are talking about a certificate used to sign software distributed to millions of users. A stolen signing certificate could let an attacker distribute software that macOS treats as legitimate and verified. OpenAI announced it would fully revoke the exposed certificate on May 8, 2026. After that date, macOS security protections will BLOCK any application still signed with the old certificate. Every user of those 4 apps, ChatGPT Desktop, Codex, Codex CLI, and Atlas, must update before that deadline or their applications will stop running.
Now widen the frame. Axios version one had 100 million weekly downloads at the time of the compromise. The second malicious version targeted the 0.x branch, which itself had 83 million weekly downloads. Public reporting has not produced a comprehensive list of affected organizations beyond OpenAI; some may not yet know.
The framing that circulated most widely in the security community after this event was pointed: North Korea did not hack OpenAI. They hacked Axios. OpenAI's disclosure attracted attention because OpenAI is the most recognizable name, but that coverage pulled focus from a structural problem no single organization can solve.
Jason Saayman is one person. He maintains a package with over 100 million weekly downloads. He was not protected by a corporate security team monitoring for suspicious npm publish events. He was not operating under a policy requiring hardware security keys for registry access. He was a skilled developer doing his best, and one of the most capable state-sponsored threat actor groups in this domain spent significant time and resources running a targeted deception campaign against him specifically. Not because he is careless. Because he is a SINGLE POINT OF FAILURE for global software infrastructure, and his attackers understood that perfectly.
This is the same structural vulnerability that the 2024 XZ Utils backdoor exposed, where a lone trusted maintainer was socially engineered over the course of two years. The Axios attack was faster and more technically direct, but the root cause is the same: critical open source infrastructure maintained by a single individual, without the monitoring or organizational resources that a funded team would have.
Charles Carmakal, Chief Technology Officer at Mandiant Consulting at Google, addressed the broader picture directly. "The number of recent software supply chain attacks is overwhelming. Defenders need to pay close attention to these campaigns. Enterprises should spin up dedicated projects to assess the existing impact, remediate, and harden against future attacks."
CISA issued a formal advisory on April 20, 2026, three weeks after the malicious packages had already been removed from npm. The advisory recommended mandating phishing-resistant multi-factor authentication on all developer accounts, configuring npm with ignore-scripts=true to block malicious install-time script execution, and enforcing a minimum package release age of seven days before any new version enters a production pipeline. All three recommendations are technically sound. All three arrived three weeks after the window during which they would have mattered in this case.
Saayman closed his post-mortem with a passage that received wide attention across the developer community. "It is sad to me that zero trust can be put in people as my only objective is to create useful things with code but it seems like the world is strongly against that with someone trying to steal / exploit something at every corner. My countries philosophy is 'Ubuntu' - 'I am because we are' or 'humanity towards others.' I hope that more can embrace that in the future."
That is a painful statement from a person who has been the target of a state-sponsored operation. The security posture that would have stopped this attack, hardware MFA on npm accounts, pinned and audited dependencies, automated anomaly detection on new package publishes, none of that can reasonably be expected of a solo maintainer working without organizational backing. It requires resources. Companies generating billions on top of Saayman's library owe the open source infrastructure beneath them a more meaningful investment.
The May 8, 2026 update deadline for OpenAI's Mac users is the visible, immediate, concrete problem. Update your apps before that date. The larger and more durable problem is whether this incident actually shifts how the software industry treats the single-maintainer open source packages it depends on. That answer will not come from CISA advisories. It will come from what major software companies decide to fund, require, and take responsibility for. Right now, somewhere, another developer is probably getting an invite to a very professional-looking Slack workspace.
=== SCRIPT_HTML ===
=== ARTICLE_HTML ===
=== YOUTUBE_DESC ===
A North Korean state hacking group spent months building a fake company—complete with a Slack workspace, cloned executive profiles, and active channels—just to fool one developer into handing over the keys to one of the internet’s most downloaded JavaScript libraries. Then it hit OpenAI’s application signing pipeline.
Sterling Intelligence covers the AI and tech stories that matter. Subscribe for weekly deep-dives.
On March 31, 2026, threat actor UNC1069—tracked by Microsoft as Sapphire Sleet and historically known as BlueNoroff and CryptoCore—hijacked the npm account of Jason Saayman, the sole maintainer of the Axios HTTP client library. Axios has more than 100 million weekly downloads on its v1.x branch alone, with another 83 million on the 0.x branch. UNC1069 published two malicious versions: 1.14.1 and 0.30.4. Each contained a hidden dependency—plain-crypto-js@4.2.1—that deployed a cross-platform backdoor called WAVESHAPER.V2. The backdoor communicated with a command-and-control server over TCP port 8000 and was designed to exfiltrate data from Windows, macOS, and Linux systems. Both malicious versions sat just above the latest stable releases in each branch—the natural pick for any automated dependency update tool scanning for newer versions.
The packages were live for approximately three hours before being removed. That was enough time.
A GitHub Actions workflow inside OpenAI’s macOS application code-signing pipeline executed during that window and pulled in Axios version 1.14.1. That workflow was responsible for signing four applications: ChatGPT Desktop, Codex, Codex CLI, and Atlas. The pipeline had two critical misconfigurations: it used a floating version tag instead of a pinned commit hash, and it lacked any minimum package release age policy—a control that would have held newly published package versions in a waiting period before production could consume them. Both are standard supply chain security controls that have been recommended guidance since the 2020 SolarWinds incident. Neither was in place in the pipeline that handled OpenAI’s most sensitive application certificates.
OpenAI’s forensic analysis found the certificate was likely not successfully exfiltrated due to job sequencing within the pipeline. But “likely” is not a sufficient threshold for a code-signing certificate used to distribute software to millions of users. OpenAI announced full revocation of the exposed certificate on May 8, 2026. After that date, macOS will block any application still signed with the old certificate. If you use ChatGPT Desktop, Codex, Codex CLI, or Atlas on a Mac, you need to update before May 8, 2026.
The deeper story is about systemic infrastructure risk. Axios is maintained by a single developer. So was the XZ Utils package at the center of a similar social engineering campaign in 2024. These are not edge cases—they are critical open source dependencies for a substantial fraction of the global software industry, maintained without the monitoring systems, hardware security key requirements, or automated anomaly detection that a well-funded corporate security team would deploy. CISA issued a guidance advisory three weeks after the fact. The structural fix—meaningful funded corporate stewardship of critical open source infrastructure—cannot come from a government advisory. It has to come from the companies that build billion-dollar products on top of these libraries.
⏱ Chapters
00:00 - Hook
00:54 - What Is Axios and Why It Matters
02:00 - UNC1069’s Social Engineering Campaign
03:55 - WAVESHAPER.V2 Backdoor Explained
04:24 - How OpenAI’s Signing Pipeline Was Hit
06:15 - Certificate Revocation Deadline
06:39 - Single-Maintainer Risk and the XZ Utils Parallel
08:48 - Sign-off
#AI #OpenAI #NorthKorea #Cybersecurity #SupplyChainAttack #npm #Axios #ChatGPT #UNC1069 #WAVESHAPER #BlueNoroff #SapphireSleet #OpenSourceSecurity #Malware #GitHubActions #CodeSigning #SoftwareSecurity #TechNews #AINews #CISAAlert
=== TITLES_HTML ===
Top Pick
North Korea Hijacked Axios to Hit OpenAI’s Signing Keys55 chars
Factual and keyword-rich; surfaces both Axios and OpenAI for search.
Alternate 1
How North Korea Fooled a Solo Dev Into Opening OpenAI53 chars
Human drama angle; “fooled” drives curiosity about the social engineering operation.
Alternate 2
The Single-Maintainer Flaw That Let North Korea In50 chars
Analyst angle; frames the structural open source risk as the central thesis.
=== KEYWORDS ===
AI, OpenAI, cybersecurity, npm security, supply chain attack, open source security, malware, ChatGPT, Axios, UNC1069, WAVESHAPER.V2, North Korea hackers, Jason Saayman, npm compromise, ChatGPT Desktop, code signing certificate, CISA advisory, BlueNoroff, Sapphire Sleet, GitHub Actions, macOS security, UNC1069 npm attack, Axios npm supply chain hack, OpenAI Mac app update, single maintainer open source risk, software supply chain security 2026, North Korea supply chain attack
=== THUMBNAIL_HTML ===
Expression. Quietly alarmed, jaw slightly set — measured urgency without panic. Direct, locked-in eye contact with camera.
Head position. Slight leftward tilt, facing camera, chin level.
Wardrobe. Dark charcoal blazer, minimal accessories, no jewelry that catches light.
Eye direction. Direct to camera.
Lighting. Key light upper-left at ~4700K, 3:1 fill ratio, thin red-tinted rim light on right shoulder.
Scene. Near-black charcoal background with faint red code-glyph pattern at 9% opacity. Terminal-glow rim accent. Cybersecurity threat aesthetic.
Best
NORTH KOREA HACKED AXIOS — NOT OPENAI
Position. Bottom-center, full width, stacked two lines.
Font. Heavy sans-serif, 800 weight, all-caps, tight tracking.
Color scheme. White (#FFFFFF) primary text on a solid charcoal bar (#111111 at 85% opacity); "NORTH KOREA" in red (#C8202A).
Accent detail. 2px red left-border on the text block; subtle red drop-shadow behind "HACKED".
Alternate 1
100M DOWNLOADS. ONE ACCOUNT. ONE MISTAKE.
Position. Bottom-left, two-line stack with a short red divider bar above.
Font. Bold condensed sans-serif, 700 weight, all-caps, generous line-height.
Color scheme. White (#FFFFFF) text on transparent charcoal overlay; "100M" in bright red (#FF2D2D) for contrast pop.
Accent detail. Thin 1px white horizontal rule above the text block; red underline beneath "ONE MISTAKE."
Alternate 2
YOUR SIGNING CERT WAS IN THE BLAST RADIUS
Position. Top-left, single line with an eyebrow label below: "OpenAI macOS · May 2026".
Font. Medium-weight extended sans-serif, 600 weight, all-caps, wide letter-spacing (0.08em).
Color scheme. Off-white (#F0F0F0) main text; eyebrow in muted red (#A01A1A), 50% smaller.
Accent detail. Faint dark-red gradient bar (#600000 → transparent) behind the top-left corner block.
=== HEYGEN_LOOK ===
A photorealistic headshot photo of a poised woman in her early 30s wearing a dark charcoal blazer with minimal styling and no light-catching jewelry, positioned against a near-black charcoal background with a faint red (#C8202A) terminal-code-glyph pattern at 9% opacity across the mid-ground — evoking a compromised npm registry or poisoned CI/CD pipeline feed. Key light from upper-left at approximately 4700K, 3:1 fill ratio, with a thin red-tinted rim light along her right shoulder to anchor the cybersecurity threat palette. Expression is quietly alarmed — direct gaze into camera, jaw lightly set, conveying measured urgency without overt panic. Framing: close headshot, face occupying the upper two-thirds of the frame, clean negative space below. Ultrarealistic, sharp focus, clean rendering, artifact-free, shallow depth of field.
=== MOTION_LOWER_THIRD ===
name: Jane Sterling
role: Cybersecurity Reporter
org: Sterling Intelligence
=== MOTION_OUTRO ===
eyebrow: If the receipts hit —
main: Subscribe.
sub: New episodes every week. No filler.
platform1: YouTube
handle1: @sterlingintelligence
platform2: X / Twitter
handle2: @SterlingIntel
platform3: Web
handle3: Sterlingintel.ca
=== MOTION_STAT_1 ===
category: npm Exposure Window
value: 3
unit: hrs
desc1: Malicious Axios versions live on npm before removal
desc2: March 31, 2026 · 00:21–03:25 UTC
badge: Both v1.14.1 and v0.30.4 active in that window
=== MOTION_STAT_2 ===
category: Axios v1.x
value: 100
unit: M
desc1: Weekly npm downloads at time of compromise
desc2: npm Registry · March 2026
badge: Most-downloaded HTTP client in the JS ecosystem
=== MOTION_STAT_3 ===
category: OpenAI Apps Exposed
value: 4
unit:
desc1: ChatGPT Desktop, Codex, Codex CLI, and Atlas — signing cert exposed
desc2: GitHub Actions pipeline · March 31, 2026
badge: Update required before May 8, 2026
=== MOTION_FINANCE_CHART_1 ===
title: Microsoft vs S&P 500 — Last 3 Months
subtitle: Through the Axios supply chain incident on GitHub Actions
ticker_a: MSFT
label_a: Microsoft
color_a: cyan
ticker_b: ^GSPC
label_b: S&P 500
color_b: purple
period: 3mo
footer: Source: Yahoo Finance · May 2026
=== MOTION_STAT_4 ===
category: Axios 0.x Branch
value: 83
unit: M
desc1: Weekly downloads targeted by malicious v0.30.4
desc2: npm Registry · March 2026
badge: Second attack vector alongside the v1.x branch
=== MOTION_STAT_5 ===
category: XZ Utils Precedent
value: 2
unit: yrs
desc1: Duration of social engineering targeting the lone XZ Utils maintainer
desc2: 2022–2024 · Near-miss on global Linux infrastructure
badge: Same root cause: single-maintainer trust exploitation
=== MOTION_STAT_6 ===
category: CISA Response Lag
value: 21
unit: days
desc1: Time from malicious packages removed to CISA advisory published
desc2: Packages removed Mar 31 · Advisory issued Apr 20, 2026
badge: Guidance arrived after the window it would have closed
=== MOTION_STAT_7 ===
category: CISA Recommendation
value: 7
unit: days
desc1: Minimum package release age before production pipeline adoption
desc2: CISA Advisory · April 20, 2026
badge: Would have blocked both malicious versions if enforced
=== SOURCES_HTML ===