OpenAI announced that it discovered a security vulnerability involving a third-party developer library, Axios, and is taking measures to secure the certification process that verifies its macOS applications as legitimate. The company emphasized that there is no evidence of user data being accessed, its systems or intellectual property being compromised, or its software being modified.

To reduce any potential risk, OpenAI is updating its security certifications and has advised all macOS users to upgrade to the latest versions of its applications. According to the company, Axios was compromised on March 31 as part of a wider software supply chain attack, reportedly linked to North Korean actors. This breach affected a GitHub Actions workflow used by OpenAI, which unintentionally downloaded and executed a malicious version of the library. The workflow had access to signing certificates and notarization materials used for macOS apps such as ChatGPT Desktop, Codex, Codex-cli, and Atlas.

OpenAI’s investigation suggests that the signing certificate involved was likely not successfully extracted by the malicious code. The company also stated that, starting May 8, older versions of its macOS desktop applications will no longer be supported, updated, or guaranteed to function properly. OpenAI confirmed that passwords and API keys were not impacted. The root cause of the incident was traced to a misconfiguration in the GitHub Actions workflow, which has since been fixed.