OpenAI flags third‑party tool issue
OpenAI disclosed a security issue tied to a third‑party tool and said it found no evidence that user data, systems or intellectual property were accessed. The company described the incident as involving an external integration rather than an internal breach. (cnbc.com)
OpenAI said on April 10 that a compromised third-party coding tool forced it to tighten protections around how its Mac apps are verified as genuine. (openai.com) The tool was Axios, a JavaScript library used by developers to move data between software services. OpenAI said the issue was part of a broader industry incident and involved its macOS app certification process, not an internal breach of OpenAI systems. (openai.com) OpenAI said it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that its software was altered. Reuters reported the company disclosed the issue on Friday, April 10, and said it was taking steps to protect the process that certifies its macOS applications as legitimate OpenAI apps. (openai.com) (cnbc.com) The case centers on software supply chains, the chain of outside code and services companies use to build products. When one link in that chain is tampered with, the risk can spread to many companies at once even if their own networks were not directly hacked. (openai.com) (forbes.com) That is why OpenAI framed the event as an external integration problem rather than a breach of its own infrastructure. The company said it was acting “out of an abundance of caution” as it changed the trust process for Mac software signed as official OpenAI apps. (openai.com) Reports on April 12 said OpenAI was rotating security certificates tied to its macOS apps and telling Mac users to update installed OpenAI applications. Moneycontrol and Forbes both said the company’s response followed the revocation and replacement of those certificates after the Axios incident. (moneycontrol.com) (forbes.com) OpenAI has dealt with third-party security disclosures before. In December 2025, it said a Mixpanel incident exposed limited analytics data for some application programming interface users and a limited number of ChatGPT users, but not application programming interface content, credentials, or payment details. (openai.com) The immediate message from this disclosure is narrower than a customer-data breach: OpenAI says the risk sat in the software tools around its Mac app trust chain, and it is replacing that trust machinery before saying more. (openai.com)
