OpenAI identified a vulnerability in an external module in its products—user data security was not compromised

OpenAI reports a detected security threat and measures taken to mitigate it

OpenAI announced the discovery of a potential vulnerability in the third‑party component Axios used in several of its applications. As a result, the company had to take steps to protect the macOS software certification process.

- No evidence of compromise

At present OpenAI has found no confirmation that attackers gained access to user data, disrupted system operations, or altered software.

- How the vulnerability was closed

The company updated security certificates and strongly recommends all macOS app users upgrade to the latest versions. This will help eliminate the risk of counterfeit software distribution.

- Nature of the incident

In early March the Axios library was compromised, and a malicious variant was downloaded and executed during CI/CD via GitHub Actions. The malicious version gained access to the certificates used to sign ChatGPT Desktop, Codex, Codex‑cli, and Atlas applications. Analysis showed that the certificates were not stolen by malicious code.

- Issue with older versions

OpenAI’s macOS desktop apps released before March 8 will no longer receive updates or support. This could lead to loss of software functionality.

- Key security

The company emphasized that OpenAI passwords and API keys remained protected. The primary cause of the incident was a misconfiguration in GitHub Actions, which has now been corrected.

Thus, OpenAI completed its threat mitigation efforts by updating certificates and urging users to move to current macOS app versions.