OpenAI company (ChatGPT's developer) has just confirmed the discovery of a security vulnerability related to third-party tools, but emphasized that no signs of user data being accessed or the system being compromised have been recorded.
According to the announcement, the incident originated from the popular Axios development library, which was identified as having been compromised on March 31 in a large-scale software supply chain attack.
OpenAI said the attack caused their GitHub Actions workflow to accidentally download and execute a malicious version of Axios.
This process has access to authentication certificates and documents used to sign macOS applications such as ChatGPT Desktop, Codex, Codex-cli and Atlas.
However, after analysis, the company affirmed that there is no evidence that these signed certificates were successfully stolen. At the same time, OpenAI also did not record any software changes, intellectual property infringement or unauthorized user data access.
The root cause of the incident was identified as a configuration error in the GitHub Actions process. OpenAI said that this problem has been fixed and additional security measures are being implemented to enhance software supply chain control.
To minimize risks, the company is updating security certificates and requires all macOS users to upgrade the OpenAI application to the latest version.
This move is aimed at preventing the risk of fake applications taking advantage of old certificates to spread malware.
In addition, OpenAI announced that from May 8th, old versions of the ChatGPT application on macOS will no longer be supported or updated, and may stop operating. Users are recommended to update early to ensure safety and stable experience.
Notably, the company also affirmed that users' passwords and API keys are not affected by this incident.
