OpenAI flags Axios issue
OpenAI reported a security issue tied to a third‑party developer tool called Axios but said user data was not accessed, a note that highlights risks in production toolchains. Indian and business outlets picked up the disclosure as a reminder that even non‑breach incidents can affect trust around AI tooling. (thehindu.com, telecom.economictimes.indiatimes.com)
OpenAI said on April 10 that a security issue hit part of its macOS app-signing workflow, but it found no evidence that user data was accessed. (openai.com) The company said a malicious version of the developer library Axios, version 1.14.1, was downloaded and executed on March 31, 2026 through a GitHub Actions workflow used in the macOS signing process. That workflow had access to a certificate and notarization material for ChatGPT Desktop, Codex App, Codex Command Line Interface, and Atlas. (openai.com) A signing certificate is the digital stamp that tells Apple and users an app really came from a named developer. OpenAI said it believes the certificate was likely not exfiltrated, but it is revoking and rotating it anyway. (openai.com) That step forces a practical change for users: OpenAI said all macOS users must update to the latest versions of its apps. The company said older versions will stop receiving updates or support on May 8, 2026, and may stop working. (openai.com) OpenAI said the main risk was not a breach of chats or accounts, but the chance that someone could try to distribute a fake macOS app that appeared to be signed by OpenAI. The company said it has worked with Apple so software signed with the previous certificate cannot be newly notarized. (openai.com) The company said it found no evidence that its systems, intellectual property, software builds, passwords, or OpenAI application programming interface keys were compromised. It also said it reviewed notarization records tied to the old certificate and found no unexpected software notarization. (openai.com, cnbc.com) Axios is a widely used JavaScript library that software teams use to move data between apps and servers, so a compromised release can spread through build systems before users ever see a product. OpenAI said this incident was part of a broader software supply-chain attack, and CNBC reported the company linked that broader campaign to actors believed to be tied to North Korea. (openai.com, cnbc.com) OpenAI said it brought in a third-party digital forensics and incident response firm, published new builds of the affected macOS products, and fixed the GitHub Actions misconfiguration tied to the incident. The company’s cutoff date now gives users a clear deadline: update before May 8 or risk losing support and functionality. (openai.com, cnbc.com)
