OpenAI flags third‑party tool issue
OpenAI disclosed a security issue tied to a third‑party developer tool called Axios and said user data was not accessed while it took protective steps. The incident underlines vendor and supply‑chain risk for organisations using generative-AI tools and suggests patching and vendor scrutiny are needed when adopting new AI services. (insurancejournal.com (thehindu.com)
OpenAI said on April 10 that a compromised third-party developer tool touched its macOS app-signing process, but it found no evidence user data was accessed. (openai.com) The company said the tool was Axios, a software library developers use to move data between apps and servers, and that the issue was part of a broader industry incident reported in late March and early April. OpenAI said its systems, intellectual property and software were not altered. (openai.com) OpenAI said it was rotating and revoking certificates used to verify that ChatGPT Desktop, Codex App, Codex Command Line Interface and Atlas on macOS are legitimate OpenAI software. Reuters reported the company disclosed the issue on Friday, April 10. (openai.com) (usnews.com) A software supply-chain attack works by poisoning a trusted component so the compromise spreads downstream to companies that rely on it. In this case, OpenAI said it took action around code-signing, the system Apple devices use to check whether an app comes from a known developer and has not been tampered with. (openai.com) OpenAI told macOS users to update every affected app to the latest version by May 8, 2026, because older versions may stop launching after the certificate changes. Forbes reported the deadline applies to ChatGPT Desktop, Codex App, Codex Command Line Interface and Atlas. (forbes.com) (openai.com) The Axios issue was not limited to OpenAI. Reuters and CNBC said security researchers tied the broader compromise to malicious packages published under Axios version numbers 1.14.1 and 0.30.4, with reports linking the campaign to a North Korea-connected group. (cnbc.com) (usnews.com) OpenAI said the incident did not affect Windows, web or mobile users, and that no action was required for those platforms. The company limited its guidance to macOS app users and developers who rely on those signed builds. (openai.com) The disclosure lands as OpenAI has been expanding its business and developer products, including Codex and Atlas, while also promoting its security controls and bug bounty program. That leaves the company handling more desktop software and more third-party dependencies at the same time. (openai.com 1) (openai.com 2) For users, the immediate change is simple: update the Mac apps before May 8. For OpenAI, the episode closes with a narrower claim than a breach notice: the company says it found a supply-chain problem, changed the trust chain, and saw no evidence customer data was reached. (openai.com)
