OpenAI has reported a security issue related to a third-party developer tool known as Axios. The company is implementing measures to enhance the security of its macOS application certification process.
According to OpenAI, there is no evidence that user data was compromised or that its systems or intellectual property were affected. The company is actively updating its security certifications and requires all macOS users to upgrade to the latest versions of its applications to mitigate risks associated with potential counterfeit apps.
Incident Overview
The Axios tool was reportedly compromised on March 31 as part of a broader software supply chain attack attributed to actors believed to be linked to North Korea. This incident allowed a malicious version of Axios to be downloaded and executed through a GitHub Actions workflow used by OpenAI.
Implications of the Attack
This workflow had access to critical certificate and notarization materials used for signing macOS applications, including popular products like ChatGPT Desktop and Codex. However, OpenAI's investigation suggests that the signing certificate was likely not exfiltrated by the malicious payload.
Next Steps for Users
Effective May 8, older versions of OpenAI's macOS desktop applications will no longer receive updates or support, which may render them non-functional. Users are encouraged to update their applications to maintain security and functionality.
Security Measures Taken
OpenAI confirmed that passwords and API keys were not impacted by the security issue. The root cause was identified as a misconfiguration in the GitHub Actions workflow, which has since been resolved.
Conclusion
OpenAI's proactive response to the security issue reflects its commitment to user safety and application integrity. Users are advised to stay updated with the latest software versions to ensure their applications remain secure.
