OpenAI has confirmed that it identified a security issue involving a third-party developer tool, but emphasized that there is no evidence that any user data, systems, or intellectual property were accessed or compromised.
The ChatGPT maker said the issue was linked to a widely used third-party library called Axios, which was reportedly compromised as part of a broader software supply chain attack. The attack is believed to be connected to threat actors associated with North Korea.
According to OpenAI, the incident involved a GitHub Actions workflow that downloaded and executed a modified version of Axios. This workflow had access to certificate and notarization materials used to verify OpenAI’s macOS applications, including ChatGPT Desktop, Codex, Codex-cli, and Atlas.
However, the company stated that its internal analysis found no evidence that the signing certificate was successfully extracted or misused by the malicious payload. OpenAI also confirmed that passwords and API keys were not affected during the incident.
The company added that the root cause was a misconfiguration within the GitHub Actions workflow, which has since been fixed and secured.
As part of its response, OpenAI is updating its security certification process and requiring all macOS users to upgrade to the latest versions of its applications. Older versions will stop receiving updates and may lose functionality starting May 8.
The company said these steps are being taken to reduce the risk of malicious actors distributing fake or unauthorized versions of its software and to strengthen overall security across its ecosystem.
