Axios Supply Chain Attack Reaches OpenAI macOS Signing Pipeline(socket.dev)
socket.dev
Axios Supply Chain Attack Reaches OpenAI macOS Signing Pipeline
https://socket.dev/blog/axios-supply-chain-attack-reaches-openai-macos-signing-pipeline-forces-certificate-rotation
2 comments
The fact that OpenAI's pipeline had no minimumReleaseAge configured is surprising though. That's basically saying "run whatever npm published 5 minutes ago in a context that has access to my signing keys." For a company that size, with that attack surface, feels like this should've been caught in a security review.