OpenAI Revokes Certificates After Malware Compromises macOS Build System

OpenAI has disclosed a security incident involving its internal systems. The company found evidence that one of its tools downloaded a malicious update from a legitimate open-source software library.

This breach potentially allowed hackers to steal a code-signing certificate. Such a certificate could be used to create fake applications that appear to be legitimate OpenAI products. However, the company states it has not observed any misuse of the certificate so far.

According to OpenAI, the incident occurred on March 31st. A GitHub workflow used by the company to sign certificates for its macOS applications downloaded a compromised update from the Axios software library. Hackers had previously breached a developer account and uploaded two infected updates to that library.

The compromised system could have impacted users of OpenAI's macOS applications, including ChatGPT Desktop, Atlas, and Codex. Access could also have enabled attackers to create counterfeit apps with a valid certificate, potentially tricking devices and app stores.

OpenAI emphasized there is no evidence that any user data, intellectual property, or internal systems were accessed or compromised. The company also found no signs that its applications for iOS, Android, Windows, or other platforms were affected.

As a precautionary measure, OpenAI will end support for older versions of its macOS apps on May 8th. Users have been given a 30-day window to update their software before the revoked certificate may block new downloads and initial launches.