OpenAI has disclosed a security issue linked to a compromised third-party developer tool, prompting the company to tighten safeguards around its macOS applications and urge users to update to the latest versions.
The issue involved Axios, a widely used developer library, which OpenAI said was compromised as part of a broader software supply chain attack believed to be linked to North Korean threat actors. The incident affected a GitHub Actions workflow used by OpenAI to download and execute dependencies during its development process.
According to the company, the compromised workflow had access to code-signing and notarization materials used to verify macOS applications such as ChatGPT Desktop and related tools. However, OpenAI said its investigation found no evidence that user data was accessed, systems were breached, or its software was altered.
The company added that the signing certificate involved in the workflow was likely not successfully extracted by the malicious code, reducing the risk of unauthorized or fake app distribution.
To further mitigate any potential threats, OpenAI is updating its security certifications and requiring macOS users to upgrade their applications. Older versions of its desktop apps will stop receiving updates and support from May 8 and may eventually become non-functional.
OpenAI also confirmed that sensitive credentials, including user passwords and API keys, were not impacted. The root cause of the issue has been traced to a misconfiguration in the GitHub workflow, which has since been fixed.
The incident highlights growing concerns around software supply chain vulnerabilities, where attackers target widely used components to gain indirect access to development environments and critical systems.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
