Axios Hit OpenAI's Signing Pipeline, Copilot Leaked Secrets via Images

Now I have all the source data I need. Let me write the newsletter.

OpenAI disclosed that axios@1.14.1 executed inside the GitHub Actions workflow used to sign ChatGPT Desktop, Codex, and Atlas macOS apps on March 31; signing certificates were revoked and rotated. Users must update before May 8, 2026, or apps will stop functioning. Root cause: a floating Action tag and no minimumReleaseAge on the Axios dependency. OpenAI reports no evidence of user data or production software exfiltration.
CrowdStrike formally attributes the Axios attack to Stardust Chollima (moderate confidence) based on ZshBucket malware infrastructure overlaps; this version of ZshBucket is the first to run cross-platform (Linux/macOS/Windows), replacing earlier macOS-only builds. Infrastructure overlaps with Famous Chollima preclude higher confidence. The group's activity has increased since late 2025, with fintech and crypto as primary targets.
The Register's deep-dive reveals UNC1069 built a full digital clone of a company and its founders — including a realistic Slack workspace — to socially engineer the Axios maintainer into installing a RAT via a fake software update during a fabricated Teams meeting. MFA was enabled on the maintainer's account; it was irrelevant to the attack vector. Mandiant's Charles Carmakal warns the blast radius across 10,000+ organizations will continue unfolding over months.

CVE-2025-59145 in GitHub Copilot Chat allowed silent exfiltration of API keys and private source code without executing any code in the target repo. Attackers embedded hidden instructions in invisible markdown comments within a PR; when a developer asked Copilot Chat to review the PR, it searched the private codebase for secrets and encoded them one character per pixel into pre-signed GitHub Camo image proxy URLs — bypassing CSP entirely, as Camo is a trusted GitHub domain. Data appeared as normal image loading in network logs.
GitHub patched by disabling image rendering in Copilot Chat. The underlying attack structure — prompt injection via untrusted content processed by an AI assistant with broad repo access — transfers directly to Microsoft Copilot, Google Gemini, and any similar tool that ingests PR or issue content. Threat models for code AI assistants need to treat untrusted content (PRs from forks, issues, comments) as a prompt injection surface.

A Gambit Security technical report documents a single threat actor breaching nine Mexican government agencies between December 2025 and February 2026 using Claude Code and GPT-4.1: Claude Code generated ~75% of remote commands across 34 live sessions; 1,088 prompts produced 5,317 executable commands. A custom 17,550-line Python tool querying the OpenAI API generated 2,597 structured intelligence reports from raw reconnaissance output.
The actor created 400+ custom attack scripts, 20 tailored exploits targeting known CVEs, and mapped 305 internal servers — output typical of a full red team, compressed to a single operator. Initial access exploited unpatched systems and stale credentials, not novel techniques. Millions of citizen records were exfiltrated.
Wiz CTO Ami Luttwak argues Claude Mythos marks a structural shift: the model can autonomously chain vulnerabilities, reverse-engineer closed-source binaries, and produce working exploits from a CVE ID + git hash within hours. Wiz's projection: a "Y2K moment" in 12–18 months when open-source equivalents become broadly accessible — compressing patch-to-exploit windows to near-zero. Recommended now: accelerate patch workflows toward automation, adopt "assume RCE" isolation design, and prioritize AI-assisted AppSec for API and web application logic flaws.

SafeDep flagged a dependency confusion campaign by npm account victim59 targeting Unico (via @genoma-ui/components), Needl.ai (via @needl-ai/common), and rrweb users (via rrweb-v1). All three packages use version 99.99.x to outrank internal versions, sandbox-evade by checking if CWD starts with /tmp, then beacon whoami, hostname, working directory, and timestamp to a DigitalOcean C2 at 64[.]227[.]183[.]144. Mitigations: register org scopes on public npm, pin scoped packages to private registries in .npmrc, add min-release-age.
An Adobe Acrobat Reader zero-day has been actively exploited since at least December 2025 — four months unpatched. Discovered by EXPMON's Haifei Li, the exploit requires only opening a PDF and abuses privileged util.readFileIntoStream and RSS.addFeed Acrobat APIs to harvest local data and beacon to a remote C2 (169.40.2[.]68:45191); it can stage follow-on RCE and sandbox escape payloads. Observed lures reference Russian oil and gas industry events. No patch is available; mitigate by blocking HTTP/HTTPS traffic with "Adobe Synchronizer" in the User-Agent header, and do not open PDFs from untrusted sources.
Fortinet EMS CVE-2026-35616 was exploited as a zero-day before an emergency hotfix was released April 5–6; the flaw allows unauthenticated API access enabling command execution. A full patch is still pending — apply the hotfix immediately and follow CyberScoop's remediation guidance.

Sherlock Forensics' 2026 AI Code Security Report — based on manual assessments of dozens of apps built with Copilot, Claude, ChatGPT, and Cursor (Jan–Apr 2026) — finds 92% contain at least one critical vulnerability; average 8.3 exploitable findings per app; 78% store secrets in plaintext or committed .env files; 34% of Node.js projects contain hallucinated package references. Only 12% implement rate limiting on auth endpoints. Median time from deployment to first exploit attempt: 18 days. By tool: GitHub Copilot averaged 9.1 findings/audit (94% critical rate); Claude averaged 6.4 (82%). Top gaps: missing logging (91%), missing rate limiting (88%), secrets mismanagement (78%).
Apiiro launched the Apiiro CLI, exposing six "agent skills" callable by AI coding agents at write time — real-time secret and vulnerability scanning, risk assessment, automated remediation, continuous assistance, AI threat modeling, and secure prompt engineering — embedded directly into CI/CD. Positioned as a response to the fundamental unsustainability of scan-after-the-fact when AI agents are generating code at machine speed.

Get AppSec Briefing in your inbox