OpenAI rotates macOS certs after Axios attack hit code-signing workflow
Summary
OpenAI is rotating its macOS code-signing certificates following a supply chain attack that compromised a GitHub Actions workflow. The attack involved the execution of a malicious Axios package, potentially exposing the integrity of software signed with these certificates.
IFF Assessment
FOE
This incident highlights a successful supply chain attack, which is a significant threat to software integrity and a concern for defenders.
Defender Context
This incident underscores the critical importance of securing software development pipelines and supply chains. Defenders should be vigilant about monitoring for signs of compromise within their own CI/CD systems and be prepared to respond to incidents involving compromised dependencies or code-signing infrastructure.