Samuel Boivin | Nurphoto | Getty Images
OpenAI said on Friday it had identified a security issue involving a third-party developer tool called Axios and is taking steps to protect the process that certifies its macOS applications are legitimate OpenAI apps.
The ChatGPT maker said it found no evidence that its user data was accessed, that its systems or intellectual property was compromised, or that its software was altered.
* The company said it is updating its security certifications, requiring all macOS users to update their OpenAI apps to the latest versions to help prevent any risk of someone attempting to distribute a fake app.
* According to OpenAI, Axios, a widely used third-party developer library, was compromised on March 31, as part of a broader software supply chain attack by actors believed to be linked to North Korea.
* This attack led a GitHub Actions workflow used by OpenAI to download and execute a ‘malicious’ version of Axios. This workflow had access to a certificate and notarization material used for signing macOS applications, including ChatGPT Desktop, Codex, Codex-cli, and Atlas.
* OpenAI said its analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the ‘malicious’ payload.
* Effective May 8, older versions of OpenAI’s macOS desktop apps will no longer receive updates or support, and may not be functional, the ChatGPT maker said.
* Passwords and OpenAI API keys were not affected by the third-party security issue, the company said, adding that the root cause of the security incident was a misconfiguration in the GitHub Actions workflow, which has been addressed.
