OpenAI announced on Friday that it identified a security vulnerability related to a third-party developer tool named Axios. The company is actively implementing measures to safeguard the certification process that verifies its macOS applications as authentic OpenAI products.
Notably, OpenAI confirmed there is no indication that user data was accessed, nor were its systems, intellectual property, or software compromised or altered in any way. To mitigate potential risks, OpenAI is updating its security certifications and mandating that all macOS users upgrade their OpenAI applications to the latest versions. This step aims to prevent any attempts to distribute counterfeit apps.
In a significant development, OpenAI revealed that Axios, a widely utilized third-party developer library, was compromised on March 31. This breach was part of a larger software supply chain attack attributed to actors believed to have ties to North Korea. The attack caused a GitHub Actions workflow used by OpenAI to download and execute a malicious version of Axios.
This compromised workflow had access to certificates and notarization materials essential for signing macOS applications, including ChatGPT Desktop, Codex, Codex-cli, and Atlas. However, OpenAI’s investigation concluded that the signing certificate involved was likely not successfully extracted by the malicious payload.
Effective May 8, older versions of OpenAI’s macOS desktop applications will cease to receive updates or support and may stop functioning altogether. The company emphasized that passwords and OpenAI API keys were not impacted by this security incident. The root cause was identified as a misconfiguration in the GitHub Actions workflow, which has since been rectified.
