A major software supply chain compromise has prompted OpenAI to issue urgent updates to its applications running on macOS.
When a North Korean state sponsored actor tampered with a widely used third-party developer library, Axios, the consequences that rippled were numerous.
This trusted open-source dependency has over a 100 million weekly downloads and those who downloaded the malicious package were likely infected with a remote access trojan (RAT) that is capable of conducting reconnaissance, executing remote commands and even exfiltrating data.
The response from the ChatGPT maker comes in light of this breach as the company notes: “Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps.
Even as the AI pioneer says that they have “found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised or that our software was altered,” the company is erring on the side of caution by updating its macOS security certificates to prevent any potential misuse.
This update requires all macOS users to install the latest versions of OpenAI applications including ChatGPT Desktop, Codex App, Codex CLI and Atlas.
The move is designed to eliminate even the smallest chance of malicious actors distributing counterfeit applications that appear legitimate.
OpenAI emphasised its commitment to transparency and rapid response, stating that protecting user privacy and security remains a top priority.
The original Axios incident dates back to 31 March, when Axios version 1.14.1 was compromised during a supply chain attack by UNC1069 – a financially motivated North Korea-nexus threat actor active since at least 2018, according to the Google Threat Intelligence Group.
A GitHub Actions workflow used in OpenAI’s macOS app-signing process unknowingly downloaded and executed the malicious version of Axios.
OpenAI says that this workflow had access to sensitive certificate and notarisation materials – which are used to verify that OpenAI’s macOS applications are genuine.
While initial concerns suggested these credentials could have been exposed, OpenAI’s investigation found that timing and technical safeguards likely prevented any successful exfiltration.
“Nevertheless, out of an abundance of caution we are treating the certificate as compromised and are revoking and rotating it,” the AI giant says.
This is to ensure that all future app versions are signed with updated credentials.
The company also warns that from 8 May, older versions of OpenAI macOS applications will no longer receive support or updates and may stop functioning entirely.
OpenAI has taken extensive steps to address the issue and strengthen its security posture.
These include engaging a third-party digital forensics and incident response firm, rotating its macOS code signing certificate and releasing newly signed versions of all potentially affected applications.
OpenAI is also working closely with Apple to block any software signed with the previous certificate from being newly notarised.
A thorough review of past notarisation activity has confirmed that no unauthorised software was signed using OpenAI credentials.
The root cause of the vulnerability was traced to a misconfigured GitHub Actions workflow, which OpenAI says it has addressed.
A floating tag instead of a fixed commit hash and the lack of a minimum release age requirement for packages were pointed out by the AI giant as the specific issues, which have now been resolved.
Security experts warn that the implications of the Axios breach extend far beyond a single company. Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, highlighted the scale of the threat:
“The impact of this attack is broad and has significant ripple effects, as countless other popular packages rely on axios as a dependency.”
“UNC1069 isn’t the only threat actor that has launched successful open-source supply chain attacks in recent weeks,” Austin adds.
“Other groups, such as TeamPCP (UNC6780), have recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations.”
These developments underline the growing risks within open-source ecosystems and the importance of proactive security measures.
Principal Threat Analyst – Google Threat Intelligence Group
AI Magazine connects the leading AI executives of the world's largest brands. Our platform serves as a digital hub for connecting industry leaders, covering a wide range of services including media and advertising, events, research reports, demand generation, information, and data services. With our comprehensive approach, we strive to provide timely and valuable insights into best practices, fostering innovation and collaboration within the AI community. Join us today to shape the future for generations to come.
Leave a Reply