OpenAI is rotating potentially compromised macOS code-signing certificates following a supply chain attack that injected malicious code through a compromised Axios package into its GitHub Actions workflow.
The attack leveraged a malicious version of the Axios HTTP library to execute unauthorized code during OpenAI's build process. The compromised package was pulled into the company's CI/CD pipeline, potentially exposing code-signing credentials used to validate macOS applications.
Code-signing certificates are critical security infrastructure—they authenticate software as legitimate and prevent tampering. If attackers obtained these credentials, they could sign malicious macOS applications that would appear trusted to users and systems.
OpenAI's response involved rotating the affected certificates to prevent their continued misuse. The incident highlights persistent vulnerabilities in software supply chains, where attackers can compromise popular open-source dependencies to reach high-profile targets.
The attack underscores the importance of hardening CI/CD security, including limiting credential access, monitoring dependency updates, and implementing strict code review practices. OpenAI has not disclosed whether any signed malicious code was distributed before the certificates were revoked.
Caller ID service Truecaller is pushing back against India's telecom regulator over new anti-spam regulations, claiming users are increasingly blocking calls from the country's dedicated business number series.
Telstra customers faced a second day of disruptions Thursday as a secondary outage prevented some from reaching triple-zero emergency services. Regional train services remained affected following Wednesday's initial mobile network failure.
Australia's government has instructed volunteers to discard thousands of functional test routers despite the devices being capable of being reflashed for continued use.
A lawsuit alleges a man used X's Grok AI to create approximately 7,000 sexually explicit images of his stepdaughter before taking his own life. Multiple young girls are now suing X, claiming the platform failed to prevent the abuse.