OpenAI's macOS Certificates Got Hacked by a 60-Second Beeping RAT
Everyone talks about AI safety like the biggest threat is Skynet becoming sentient. Meanwhile, the real danger is some North Korean hacker hijacking an npm account and turning your favorite HTTP library into a remote access trojan.
That's exactly what happened to OpenAI on March 31st, 2026. Their GitHub Actions workflow for signing macOS apps downloaded what it thought was the trusty Axios JavaScript library. Instead, it got versions v1.14.1 and v0.30.4 - packed with a hidden dependency called plain-crypto-js.
<> The RAT enables reconnaissance, persistence, and evasion via self-destruction, with C2 beeping every 60 seconds via Base64 JSON over HTTP POST./>
Sixty. Second. Beacons. Imagine being so bold that your malware phones home more frequently than your anxious mother.
The Trojan Horse Nobody Saw Coming
This wasn't some sophisticated zero-day exploit. An Axios maintainer's npm account got hijacked. That's it. One compromised account, and suddenly malware is flowing into CI/CD pipelines across the internet.
The attack targeted OpenAI's code signing certificates - the cryptographic keys that tell macOS "yes, this ChatGPT Desktop app is legit, not some knockoff from a sketchy website." If those certificates had been fully compromised, attackers could've signed their own malicious apps and distributed them as official OpenAI software.
OpenAI detected the breach and responded by:
1. Rotating all macOS code signing certificates
2. Updating affected apps (ChatGPT Desktop, Atlas, and Codex)
3. Fixing their GitHub Actions workflow
4. Planning to kill older app versions on May 8th, 2026
No user data was compromised. No API keys leaked. But that's almost beside the point.
The Elephant in the Room
Google attributes this attack to North Korean cybercriminals. The same groups that brought you the Sony Pictures hack and WannaCry are now poisoning JavaScript libraries.
We're building the future of AI on a foundation of open-source dependencies maintained by volunteers in their spare time. Every npm install is a potential attack vector. Every GitHub Actions workflow is a possible entry point.
Unit 42 from Palo Alto Networks called this attack "widespread impact," and they're not wrong. The malware worked across Windows, macOS, and Linux. It had reconnaissance capabilities. It could persist on infected systems. And when things got too hot, it would self-destruct.
Supply Chain Roulette
OpenAI isn't the first victim of supply chain attacks, and they won't be the last. Remember SolarWinds in 2020? That single compromise affected 18,000+ organizations.
The uncomfortable truth: every developer is playing supply chain roulette. Your package.json file is basically a trust exercise with strangers on the internet.
Some practical defenses:
- Pin your dependency versions (don't auto-update everything)
- Monitor CI/CD workflows for unexpected downloads
- Use runtime detection tools like Cortex XDR
- Implement software supply chain security in your deployment pipeline
The Market Shrugs
Here's what's fascinating: the market treated this as a "minor operational hiccup." No stock volatility. No investor panic. Supply chain risks are apparently "priced-in" for AI companies now.
That's either reassuring or terrifying, depending on your perspective.
OpenAI handled this well - transparent communication, swift remediation, no apparent data loss. But the incident exposes how fragile our development infrastructure really is.
We're building AGI on a house of cards made from npm packages. And somewhere in Pyongyang, hackers are shuffling the deck.
