Salt Project Community Members!
We are issuing this notification regarding actions affecting our macOS signing certificates.
On or about March 31, 2026, the saltstack/salt repository was affected by
the downstream publication of malicious versions of the axios npm package
(1.14.1 and 0.30.4).
Out of an abundance of caution, we have taken the following actions with regard to our macOS DeveloperID Installer Signing Certificate and DeveloperID Application Signing Certificate:
- Secret Rotation: All secrets, including the application and installer signing certificates for Salt, have been rotated.
- CI/CD Hardening: We have removed all secrets from nightly builds and pinned all GitHub Actions to specific commit hashes instead of mutable version tags to prevent recurrence.
- Revocation Process Initiated: We have contacted Apple security to begin the process of revoking the compromised certificates.
Resolution Plan and Recommended Timeline
Our current priority is to release a new, securely signed version as quickly as possible. The timeline for revoking the exposed certificates is contingent on this new release:
| Certificate | Plan and Implication | Timeline |
|---|---|---|
| DeveloperID Installer Certificate | This certificate will be revoked, and all packages signed with it (versions 3006.15 - 3006.23 and 3007.7 - 3007.13) will be removed from our repository. Implication: New downloads and installs of old packages will be blocked. | Revocation will be performed immediately upon the release of the new, securely signed package. |
| DeveloperID Application Certificate | This is a more complex decision, as revoking it will cause existing installations signed with the certificate to stop working. | The old certificate will be revoked 2 weeks after the new release is available to users. We are working on the shortest possible internal timeline to deploy the new version to minimize the period of risk. |
Action for Users
We urge all macOS users to install the new release (version: 3006.24 and 3007.14), signed with the new certificates, as soon as it becomes available on April 23rd, 2026. This will ensure continuity of service and provide the highest level of security.
We appreciate your immediate attention to this matter and thank you for your patience and cooperation as we work diligently to resolve this incident.
Directory repository locations:
- Salt Project Repository: Linux (RPM): Where Salt
rpmpackages are officially stored and distributed. - Salt Project Repository: Linux (DEB): Where Salt
debpackages are officially stored and distributed. - Salt Project Repository: GENERIC: Where Salt Windows, macOS, etc. (non-rpm, non-deb) packages are officially stored and distributed.
- Best-effort supported versions of Salt (non-relenv) are also available on PyPI: https://pypi.org/project/salt/
– Salt Project Team