OpenAI flags third‑party tool security issue

OpenAI said on April 11 that a compromised third-party tool touched the path it uses to certify some Mac apps, but the company said it found no evidence that user data, internal systems, intellectual property, or shipped software were accessed or altered. It told macOS users to update OpenAI apps to the latest versions while it rotates the affected signing materials. (openai.com) (reuters.com) The tool at the center of it was Axios, a JavaScript library that many developers use to let software talk to websites and application programming interfaces, which are the digital front desks apps use to request data from other services. OpenAI said a GitHub Actions workflow in its macOS app-signing process downloaded and executed a malicious Axios version, 1.14.1, on March 31, 2026 Coordinated Universal Time. (openai.com) (microsoft.com) App signing is the digital wax seal that tells Apple and users a program really came from the claimed developer and has not been swapped out on the way. OpenAI said the affected workflow had access to a certificate and notarization material used to sign ChatGPT Desktop, Codex, Codex command-line interface, and Atlas for macOS. (openai.com) The immediate fear in a case like this is not that a hacker reads chats directly, but that a stolen signing certificate could make a fake app look real enough to slip past a quick glance. OpenAI said it is updating its security certifications because the main risk was someone trying to distribute a fake OpenAI Mac app that appeared legitimate. (reuters.com) (openai.com) Axios matters because it sits deep in the software supply chain, which is the chain of libraries, build tools, and automation scripts that modern apps pull in before a product ever reaches a user. Microsoft said the malicious Axios releases were versions 1.14.1 and 0.30.4, and that they were part of a broader supply-chain attack tied to infrastructure the company attributes to the North Korean state actor Sapphire Sleet. (microsoft.com) (elastic.co) Security researchers said the poisoned Axios packages could fetch a second-stage remote access trojan, which is malware that opens a hidden control channel back to an attacker. Elastic said the attacker used a compromised npm maintainer account to publish the bad releases, and Microsoft said the payloads worked across macOS, Windows, and Linux. (elastic.co) (microsoft.com) OpenAI’s account of the timeline is narrow and specific: the malicious package ran inside one GitHub Actions workflow tied to Mac app signing on March 31, 2026, and the company said it has seen no evidence that production systems or customer data were reached from there. The company also said it is rotating certificates, hardening the signing pipeline, and requiring users to install the newest Mac app versions. (openai.com) (reuters.com) That is why this story is less about one library and more about the machinery behind software releases. A chat app can keep its servers locked down and still face trouble if the tools that build, sign, and ship the app are trusted too broadly or updated too automatically. (openai.com) (vectra.ai) For Mac users, the practical step is simple: update ChatGPT, Codex, Atlas, and Codex command-line interface if they are installed, because OpenAI says new versions are tied to refreshed signing credentials. For software companies, the lesson is harsher: the build system is part of the product, and every package, automation token, and signing key now sits on the same trust boundary as the code customers actually run. (openai.com) (ithinkdiff.com)