Jakarta - OpenAI revealed a security incident involving a third-party developer tool called Axios. However, they confirmed that there was no evidence of access to user data or compromise of the company's internal systems.
In its official statement, OpenAI said this incident was part of a wider software supply chain attack, which is suspected of involving actors affiliated with North Korea. The attack occurred on March 31, 2026 and targeted the Axios library, which is widely used in application development.
"There is no evidence that user data was accessed, our systems were infiltrated, or our software was modified," OpenAI said.
GitHub Actions's Gap is the Root of the Problem
OpenAI explained that this attack exploited a GitHub Actions workflow used to download and run a version of Axios that had malicious code injected. The workflow has access to certificates and notarization material used to sign OpenAI's official macOS applications, including ChatGPT Desktop, Codex, Codex-cli, and Atlas.
However, the results of the internal investigation concluded that the signature certificate was most likely not successfully filtered out by the malicious payload.
The company also confirmed that user passwords and OpenAI API keys were not affected in this incident.
"The main cause of this incident was a configuration error in the GitHub Actions workflow, which we have now fixed," the statement continued.
Mandatory Update for macOS Users
As a mitigation measure, OpenAI is now updating its security certification system and requiring all macOS users to update their OpenAI applications to the latest version.
This step was taken to prevent the potential distribution of fake applications that can take advantage of previous security gaps.
OpenAI also announced that starting May 8, 2026, the old version of their macOS desktop application will no longer receive updates or support, and may no longer be usable.
This step is considered a preventive effort to ensure that all users are in an application ecosystem that has strengthened its security.
Technology Industry Back in the Spotlight on Supply Chain Security
This incident once again highlights the vulnerabilities in the global software supply chain, especially when widely used third-party libraries become entry points for attacks.
Although OpenAI managed to avoid serious impacts, this case is a reminder that even large technology companies are not immune to the gaps that arise from external dependencies.
With the increasing complexity of the software development ecosystem, transparency and response speed as demonstrated by OpenAI are crucial in maintaining public trust.
Follow VOI Whatsapp Channel
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
