OpenAI has said that no user data or internal systems were compromised following a security issue linked to a third-party developer tool, Axios. The company confirmed that the incident was part of a broader software supply chain attack affecting the industry, but added that its investigation found no evidence of data exposure or software tampering.
What happened
According to the company, the issue originated from a compromised version of Axios that was briefly used in a GitHub Actions workflow tied to the macOS app-signing process. This workflow had access to certificates used to verify that OpenAI’s desktop applications are legitimate.
While the company stated that the likelihood of the certificate being extracted was low due to timing and safeguards, it is treating the certificate as potentially exposed. As a result, OpenAI has decided to revoke and rotate the certificate as a precautionary step.
What OpenAI is doing
OpenAI said it is updating its macOS code-signing certificates and releasing new builds of its desktop applications. Users will need to update to the latest versions to continue receiving updates and ensure app authenticity.
Older versions of OpenAI’s macOS apps will stop receiving support after May 8, 2026, and may not function as expected. The company has also worked with Apple to block any further notarisation attempts using the older certificate.
Impact on users
OpenAI clarified that the incident does not affect iOS, Android, Windows, Linux, or web users. It also confirmed that passwords, API keys, and user data remain safe.
However, macOS users are advised to update their apps through official channels or in-app updates. The company warned against downloading apps from third-party sources, emails, or unknown links, as attackers could attempt to distribute fake versions.
Security measures and response
As part of its response, OpenAI engaged external security experts, reviewed all notarisation activity, and confirmed that no unauthorised software was signed using its credentials. The company also fixed the underlying issue in its workflow, including replacing floating tags with specific versions and adding stricter controls.
OpenAI said it will continue monitoring for any misuse and may accelerate certificate revocation if suspicious activity is detected.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
