OpenAI has disclosed a security issue involving a third-party developer tool called Axios, saying it is taking precautionary steps to protect the system that verifies its macOS applications as legitimate.
The company emphasized that there is no evidence that user data was accessed, its systems or intellectual property were compromised, or its software was tampered with.
The issue stems from a broader software supply chain attack that reportedly affected Axios on March 31, with suspected links to North Korean threat actors. According to OpenAI, the incident allowed a GitHub Actions workflow to download and execute a malicious version of the library. This workflow had access to sensitive materials used for signing and notarizing macOS apps such as ChatGPT Desktop, Codex, Codex CLI, and Atlas.
Despite the exposure, OpenAI’s investigation found that the signing certificate involved was likely not successfully extracted by the malicious code. The company also confirmed that passwords and OpenAI API keys were not impacted.
As a precaution, OpenAI is updating its security certifications and urging all macOS users to upgrade to the latest versions of its applications. This step is aimed at preventing any potential misuse, such as distributing fake versions of OpenAI apps.
The company has also addressed the root cause of the incident, which was traced to a misconfiguration in the GitHub Actions workflow. To further strengthen security, OpenAI announced that older versions of its macOS desktop apps will stop receiving updates or support after May 8 and may no longer function properly.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Overall, while the incident highlights risks in software supply chains, OpenAI maintains that its core systems and user data remain secure.
