OpenAI identifies security issue involving third-party tool
OpenAI said on Friday it had identified a security issue involving a third-party developer tool called Axios and is taking steps to protect the process that certifies its macOS applications are legitimate OpenAI apps.
The ChatGPT maker said it found no evidence that its user data was accessed, that its systems or intellectual property was compromised, or that its software was altered.
The company said it is updating its securitycertifications, requiring all macOS users to update theirOpenAI apps to the latest versions to help prevent any risk ofsomeone attempting to distribute a fake app.
According to OpenAI, Axios, a widely used third-partydeveloper library, was compromised on March 31, as part of abroader software supply chain attack by actors believed to belinked to North Korea.
This attack led a GitHub Actions workflow used by OpenAIto download and execute a 'malicious' version of Axios. Thisworkflow had access to a certificate and notarisation materialused for signing macOS applications, including ChatGPT Desktop,Codex, Codex-cli, and Atlas.
OpenAI said its analysis of the incident concluded thatthe signing certificate present in this workflow was likely notsuccessfully exfiltrated by the 'malicious' payload. Effective May 8, older versions of OpenAI's macOS desktopapps will no longer receive updates or support, and may not befunctional, the ChatGPT maker said.
Passwords and OpenAI API keys were not affected by thethird-party security issue, the company said, adding thatthe root cause of the security incident was a misconfigurationin the GitHub Actions workflow, which has been addressed.
The ChatGPT maker said it found no evidence that its user data was accessed, that its systems or intellectual property was compromised, or that its software was altered.
The company said it is updating its securitycertifications, requiring all macOS users to update theirOpenAI apps to the latest versions to help prevent any risk ofsomeone attempting to distribute a fake app.
According to OpenAI, Axios, a widely used third-partydeveloper library, was compromised on March 31, as part of abroader software supply chain attack by actors believed to belinked to North Korea.
This attack led a GitHub Actions workflow used by OpenAIto download and execute a 'malicious' version of Axios. Thisworkflow had access to a certificate and notarisation materialused for signing macOS applications, including ChatGPT Desktop,Codex, Codex-cli, and Atlas.
OpenAI said its analysis of the incident concluded thatthe signing certificate present in this workflow was likely notsuccessfully exfiltrated by the 'malicious' payload. Effective May 8, older versions of OpenAI's macOS desktopapps will no longer receive updates or support, and may not befunctional, the ChatGPT maker said.
Passwords and OpenAI API keys were not affected by thethird-party security issue, the company said, adding thatthe root cause of the security incident was a misconfigurationin the GitHub Actions workflow, which has been addressed.
Next Story