top of page
Search

TeamPCP Just Took Out OpenAI's macOS Code-Signing Certificate. We've Been Tracking This Crew Since March.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 6 minutes ago
  • 4 min read

OpenAI revoked their macOS desktop application code-signing certificate as a precaution. Effective yesterday, May 8, 2026, older versions of the OpenAI macOS app no longer receive updates or support. The proximate cause is the March 31, 2026 supply-chain compromise of the Axios developer library, where a misconfigured GitHub Actions workflow — floating tag, no minimum-release-age check — let a backdoored release ship to thousands of downstream projects.


OpenAI used Axios. Treated the cert as compromised. Rotated. End of paragraph one of OpenAI's official advisory.


Here is the part the official advisory does not say. The Axios npm compromise is one node in a multi-month, multi-registry, multi-victim kill chain attributed to TeamPCP — the same crew we covered on April 1 in the post "One Actor, Three Supply Chains: How TeamPCP Chained Trivy, LiteLLM, and Telnyx Into a Single Kill Chain," and on April 17 in "The Chain Reaches Government: TeamPCP + ShinyHunters Hit Cisco and the European Commission." Two months ago we said this would extend. It just extended to OpenAI.


The chain, with our receipts



We have 31 TeamPCP-attributed IOCs in our threat-intel index right now. Some of the highlights:


The malware family teampcp-react.service is documented in our index (sourced via Elastic Security's vendor research). It is the post-exploitation framework. The actor's typosquatting domains include aquasecurtiy.org (note the missing "i" — typosquat of Aqua Security) and scan.aquasecurtiy.org, both flagged as command-and-control. A tunneled C2 cluster runs through Cloudflare Workers — championships-peoples-point-cassette.trycloudflare.com, investigation-launches-hearings-copying.trycloudflare.com, souls-entire-defined-routes.trycloudflare.com — and a separate cluster runs through Internet Computer Protocol blockchain, with tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io as the canonical raw-blockchain endpoint.


The Axios compromise specifically resolves to sfrclak.com (six independent sources confirm: stepsecurity, sslbl, Elastic Security) over IP 142.11.206.73 on port 8000. We have over five thousand related observations on that IP across our 1.14M-IOC index. The infrastructure was pre-staged eighteen hours before the malicious Axios release was published. That detail comes from socket.dev and stepsecurity's incident postmortems — and it is the operational tell. This was not opportunistic.


The LiteLLM compromise — same actor, March 24, 2026 — landed in the package versions litellm==1.82.7 and litellm==1.82.8. Both are in our IOC index, tagged supply-chain from maltrail+github-hunt. The C2 was the ICP blockchain endpoint above, plus a Telnyx-derived pivot. We tagged the underlying CVE-2026-42208 (BerriAI LiteLLM SQL injection) on this morning's customer protection blog as one of the top fifteen actively-exploited KEV-listed CVEs. We did not name the actor in that post because we were leading with patch priority. The actor is TeamPCP.


Why the OpenAI tie-in matters



OpenAI is not the first AI company TeamPCP threaded. They are not even the second.


The chain ran:

  • Trivy (Aqua Security typosquat → container scanner supply-chain) — early March 2026

  • LiteLLM (the AI-gateway library used by basically everyone running multi-model proxies) — March 24

  • Telnyx (telecom CPaaS pivot) — March-April

  • Axios (npm developer library) — March 31

  • Mercor (the $10B AI training-data labeling startup that supplies OpenAI, Anthropic, and Meta) — April 2026

  • OpenAI (downstream of Axios; macOS code-signing cert revoked May 8)


That's six distinct compromise events in roughly six weeks, one actor, hitting the AI infrastructure stack at six different trust-boundary soft surfaces. This is not "OpenAI got hacked." OpenAI's perimeter is, by all evidence, fine. What got compromised is the soft middle — the libraries OpenAI builds with, the data labelers OpenAI buys from, the certs OpenAI ships under. The hard ingress held. The trust boundary leaked.


Our prior post "The AI Agent Is the New Login Shell. Six Holes in Seven Days." called this out as the architectural shift in late April. Today's OpenAI cert rotation is the seventh hole.


What defenders should do tonight



If you operate the OpenAI macOS desktop application: update to the post-rotation build immediately. The pre-rotation build will not receive future security updates. OpenAI's advisory is at openai.com/index/axios-developer-tool-compromise/.


If you run anything that depends on Axios (npm): pin to a known-good version, audit your package-lock.json against published incident-response advisories from socket.dev and stepsecurity, and rotate any secrets the dependency could have touched if you upgraded into the bad version window.


If you run LiteLLM: pin below 1.82.7. Versions 1.82.7 and 1.82.8 are in our IOC index as supply-chain compromised. CVE-2026-42208 is the SQL injection vector. Patch and audit any proxied API keys (OpenAI, Anthropic, etc.) — those are the secrets a compromised LiteLLM gateway would have touched.


If you run Trivy or any Aqua Security tooling: check your update channel against the typosquat domains. aquasecurtiy.org is not Aqua Security — it is C2 infrastructure tagged in our threat-intel index.


If you ingest any AI-related developer dependency: this is the moment to apply a minimum-release-age policy on critical packages, the kind of thing OpenAI now wishes they had on Axios. A 24- or 48-hour staging window between npm publish and your production install would have prevented the OpenAI cert rotation entirely.


What we said two months ago



From the April 1 post: "TeamPCP is not chasing one CVE or one product. They are chasing the soft connective tissue between products — the AI gateways, the container scanners, the registries, the developer libraries that everyone in the AI infrastructure stack assumes is safe because everyone uses it."


That assumption is the attack surface. It has been for two months. It just cost OpenAI a code-signing certificate.


How to verify any of this



Every IOC named above is live in our public threat-intel index. Sample queries that work right now:


https://analytics.dugganusa.com/api/v1/search/iocs?q=TeamPCP returns the 31 TeamPCP-attributed indicators. https://analytics.dugganusa.com/api/v1/search/iocs?q=sfrclak returns the Axios attack infrastructure. https://analytics.dugganusa.com/api/v1/search/iocs?q=litellm returns the eight LiteLLM IOCs including the compromised package versions. https://analytics.dugganusa.com/api/v1/search/blog?q=TeamPCP returns our coverage trail back to March.


There is no per-seat pricing. The free tier is rate-limited at 500 queries per day, which is enough to validate every claim in this post yourself. If you operate AI infrastructure for a living, every dependency you ship is a node in someone else's kill chain. Today it is OpenAI's. Tomorrow it could be yours.


The hard perimeter holds. The soft surfaces bleed.





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

 
 
 
bottom of page