OpenAI Revokes macOS Signing Certificate After Malicious Dependency Incident
AI-generated from multiple sources. Verify before acting on this reporting.
SAN FRANCISCO — OpenAI has confirmed additional corroborating reports regarding the malicious dependency incident that led to the revocation of its macOS signing certificate. The company stated that the scope of the compromised Axios library download has been further validated by multiple independent sources. This development reinforces the initial assessment that the automated build process was targeted, prompting the immediate security measures taken on Sunday. OpenAI continues to investigate the extent of the compromise and is working to ensure no unauthorized access to its software signing infrastructure occurred. The artificial intelligence developer has not yet released details on whether any user data was accessed during the incident. Security experts are monitoring the situation closely as the investigation progresses. OpenAI remains committed to maintaining the integrity of its applications and will provide further updates as more information becomes available. The company is collaborating with cybersecurity partners to prevent similar incidents in the future.
SAN FRANCISCO — OpenAI has confirmed additional corroborating reports regarding the compromised signing certificate incident. The company stated that further details have emerged concerning the scope of the malicious dependency within the software library. While the initial revocation of the macOS signing certificate remains in effect, these new reports indicate that the automated build process may have been affected more broadly than initially assessed. OpenAI is continuing its investigation into the extent of the compromise and is working to secure its development pipeline. No further action has been announced at this time, but the company is monitoring the situation closely to prevent any potential misuse of its software applications. The incident underscores the importance of securing software dependencies in automated workflows.
SAN FRANCISCO — OpenAI revoked its macOS signing certificate on Sunday following the discovery of a malicious dependency in a software library used to sign its applications. The move comes after a compromised version of the Axios library was downloaded by a GitHub Actions workflow, prompting the artificial intelligence developer to take immediate action to prevent potential software misuse.
The incident occurred when the automated build process, which is responsible for digitally signing OpenAI's macOS applications, pulled a tainted version of the Axios HTTP client. Security experts identified the malicious code within the library, which could have allowed unauthorized actors to sign and distribute rogue software under OpenAI's digital identity. By revoking the certificate, OpenAI effectively invalidated the cryptographic key used to verify the authenticity of its software, ensuring that any applications signed with the compromised key would no longer be trusted by Apple's operating system.
OpenAI did not immediately release a detailed statement regarding the scope of the breach or the specific nature of the malicious code embedded within the Axios dependency. However, the company confirmed that the revocation was a precautionary measure to secure its software supply chain. The incident highlights the growing risks associated with third-party dependencies in automated development environments, where a single compromised package can undermine the security of an entire software ecosystem.
The revocation affects all macOS applications signed with the compromised certificate, requiring users to download updated versions of OpenAI's software to restore functionality. Apple's security protocols will flag applications signed with the revoked certificate as untrusted, preventing them from running on macOS systems without user intervention. This disruption underscores the critical importance of supply chain security in the software industry, particularly for high-profile companies handling sensitive data and advanced technologies.
Security researchers are currently investigating the origin of the malicious Axios library and the potential impact on other organizations that may have used the same compromised dependency. The incident has raised concerns about the vulnerability of open-source libraries, which are widely used but often lack rigorous security auditing. As of Sunday, there is no confirmation of whether any unauthorized software was successfully signed and distributed using the compromised certificate before the revocation.
OpenAI is working to issue a new signing certificate and update its software distribution channels to ensure users can access secure versions of its applications. The company is also reviewing its development workflows to prevent similar incidents in the future. The situation remains fluid as investigators continue to assess the full extent of the breach and its implications for the broader software industry.