April 22, 2026

Fetch me the popcorn

Article URL →HN comments →

OpenAI's response to the Axios developer tool compromise

OpenAI says “no data leaked” after Axios scare — devs roast the delay and the Axios choice

TLDR: OpenAI is rotating Mac app certificates after a tainted Axios update hit its build process; users must update by May 8, and it says no data was compromised. Commenters split between praising transparency and blasting the slow response and the choice to use Axios instead of built‑in tools, highlighting supply‑chain fragility

OpenAI says a bad version of the popular code library Axios slipped into its Mac app–signing process, but no user data was touched and no apps were altered, according to OpenAI. The fix? New security certificates (think digital ID cards for apps) and a mandatory update for all macOS users before May 8. That’s the official story. The comments? That’s where the sparks flew.

One camp is furious about timing. As commenter fortuitous-frog noted, the Axios compromise happened March 31, the blog went up April 10, and emails hit users April 21. Translation: “Why so slow?” Another camp is dragging the tech choice itself: “Axios in 2026?” scoffs danscan, arguing that modern JavaScript already has a built-in tool called “fetch,” so relying on Axios screams “stuck in 2015.” Meanwhile, eranation piles on with a PSA: set a delay before trusting brand-new packages (a setting in the package manager) to avoid swallowing poisoned updates.

Not everyone’s here for the roast. A quieter crowd, like mrcwinn, says OpenAI’s disclosure was “above and beyond,” with outside forensics, Apple coordination, and certificate revocation. But memes are memeing: “Axios? More like Ax-i-ouch,” and “fetch me the popcorn.”

Drama aside, the stakes are real: a leaked certificate could let attackers dress malware up as “OpenAI.” OpenAI insists there’s no evidence that happened and it’s revoking the old certificate anyway. Users just need to update. The debate raging underneath—speed vs. transparency, old habits vs. modern tools—shows how fragile the software supply chain can be, even for the big leagues

Key Points

  • On Mar 31, 2026, a malicious Axios v1.14.1 package executed in OpenAI’s GitHub Actions macOS app-signing workflow during a broader supply chain attack.
  • The workflow had access to code-signing and notarization materials for macOS apps (ChatGPT Desktop, Codex, Codex CLI, Atlas); analysis suggests the certificate was likely not exfiltrated.
  • OpenAI is revoking and rotating its macOS code-signing certificate and requiring users to update apps; older versions may stop working after May 8, 2026.
  • OpenAI engaged a third-party DFIR firm, published new builds with the new certificate, coordinated with Apple to block notarization using the old certificate, and found no evidence of data or software compromise.
  • Root cause: a GitHub Actions misconfiguration using a floating tag and missing a minimumReleaseAge setting, which has been addressed.

Hottest takes

"…much more urgency" — fortuitous-frog
"Depending on Axios suggests the devs don’t know how to use fetch" — danscan
"Above and beyond post. This is good" — mrcwinn

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.