OpenAI has announced a significant security issue related to a third-party developer tool known as Axios. The company has initiated measures to reinforce the integrity of its process for certifying macOS applications as official OpenAI products.
Despite the security breach, OpenAI stated there is no evidence suggesting unauthorized access to user data, compromise of its systems, or alteration of its software. In response to the potential risks, the company is updating its security certifications and mandating that all macOS users update their OpenAI applications to the latest versions. This measure is intended to thwart any attempts to distribute counterfeit applications.
The security concern emerged after Axios, a widely utilized third-party developer library, was compromised on March 31 during a broader software supply chain attack attributed to actors believed to be linked to North Korea. As a result of this incident, a GitHub Actions workflow used by OpenAI inadvertently downloaded and executed a modified version of Axios that contained malicious elements. This workflow had access to key certification and notarization materials necessary for signing macOS applications, including popular products like ChatGPT Desktop, Codex, Codex-cli, and Atlas.
OpenAI’s investigation into the breach indicated that while potentially sensitive information was at risk, the signing certificate involved in the workflow was probably not successfully extracted by the malicious payload.
Starting May 8, older versions of OpenAI’s macOS desktop applications will be phased out and will no longer receive updates, support, or guaranteed functionality. The company reassured users that passwords and OpenAI API keys remained secure and unaffected by the breach, attributing the root cause of the incident to a misconfiguration within the GitHub Actions workflow, which has since been resolved.
OpenAI is encouraging users to remain vigilant and ensure they are utilizing the most recent versions of their software to maintain security and functionality.
