OpenAI's response to the Axios developer tool compromise
hackernews
|
|
{'이벤트': '📰', '머신러닝/연구': '📰', '하드웨어/반도체': '📰', '취약점/보안': '📰', '기타 AI': '📰', 'AI 딜': '📰', 'AI 모델': '📰', 'AI 서비스': '📰', 'discount': '📰', 'news': '📰', 'review': '📰', 'tip': '📰'} AI 모델
#ai
#ai 경쟁
#ai 모델
#마크 저커버그
#메타
#뮤즈 스파크
#오픈ai
요약
메타가 인공지능(AI) 경쟁력 강화를 위해 마크 저커버그 CEO가 직접 출범을 알린 메타 초지능 연구소(MSL)의 첫 결과물인 '뮤즈 스파크'를 출시하며 AI 재건에 속도를 내고 있습니다. 해당 모델은 여러 하위 에이전트에 작업을 동시에 맡겨 가족 여행 계획 수립 등을 수행하고 이미지 인식 기능을 갖춰 상품 사진의 칼로리 비교까지 가능합니다. 자체 평가 결과 일부 분야에서는 앤트로픽 등 경쟁사 모델을 앞섰으며, 메타는 향후 설비투자 규모를 2026년 1,150억~1,350억 달러로 대폭 확대할 계획입니다. 이러한 소식에 메타의 주가는 6.50% 상승하는 등 긍정적인 시장 반응을 이끌어냈습니다.
왜 중요한가
관련 엔티티
메타
마크 저커버그
메타 초지능 연구소
MSL
뮤즈 스파크
앤트로픽
OpenAI
Axios
본문
[Skip to main content](https://openai.com/index/axios-developer-tool-compromise/#main) [](https://openai.com/) * [Research](https://openai.com/research/index/) * Products * [Business](https://openai.com/business/) * [Developers](https://openai.com/api/) * [Company](https://openai.com/about/) * [Foundation(opens in a new window)](https://openaifoundation.org/) Log in[Try ChatGPT(opens in a new window)](https://chatgpt.com/?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * Research * Products * Business * Developers * Company * [Foundation(opens in a new window)](https://openaifoundation.org/) Our response to the Axios developer tool compromise | OpenAI April 10, 2026 [Security](https://openai.com/news/security/) # Our response to the Axios developer tool compromise Loading… We recently identified a security issue involving a third-party developer tool, Axios, that was part of a widely reported, [_broader industry incident_ (opens in a new window)](https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package). Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps. We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered. We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions. This helps prevent any risk—however unlikely—of someone attempting to distribute a fake app that appears to be from OpenAI. You can update safely through an in-app update or at the official links below: * [_ChatGPT Desktop_ (opens in a new window)](https://chatgpt.com/download/?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [_Codex App_ (opens in a new window)](https://chatgpt.com/codex/?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [_Codex CLI_ (opens in a new window)](https://developers.openai.com/codex/cli) * [_Atlas_ (opens in a new window)](https://chatgpt.com/atlas?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) The security and privacy of your information are a top priority. We’re committed to being transparent and taking quick action when issues arise. We're sharing more technical details and FAQs below. #### What happened and what we are doing On March 31, 2026 (UTC), Axios, a widely used third-party developer library, [_was compromised as part of a broader software supply chain attack._ (opens in a new window)](https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package) At that time, a GitHub Actions workflow we use in the macOS app-signing process downloaded and executed a malicious version of Axios (version 1.14.1). This workflow had access to a certificate and notarization material used for signing macOS applications, including ChatGPT Desktop, Codex, Codex-cli, and Atlas. This certificate helps customers know that software comes from the legitimate developer, OpenAI. Our analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors. Nevertheless, out of an abundance of caution we are treating the certificate as compromised, and are revoking and rotating it. Effective May 8, 2026, older versions of our macOS desktop apps will no longer receive updates or support, and may not be functional. These versions represent the earliest releases signed with our updated certificate: * ChatGPT Desktop: 1.2026.051 * Codex App: 26.406.40811 * Codex CLI: 0.119.0 * Atlas: 1.2026.84.2 #### Investigation and remediation efforts As part of our investigation and response, we engaged a third-party digital forensics and incident response firm, rotated our macOS code signing certificate, published new builds of all relevant macOS products with the new certificate, and are working with Apple to ensure software signed with the previous certificate cannot be newly notarized. We have also reviewed all notarization of software using our previous certificate to confirm no unexpected software notarization occurred with these keys, and validated that our published software did not have unauthorized modifications. At this time, we have found no evidence of compromise or risk to existing software installations. In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software. We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third party would be blocked by default by macOS security protections unless a user explicitly bypasses them. Once we fully revoke our certificate on May 8th, 2026, new downloads and launches of apps signed with the previous certificate will be blocked by macOS security protections. The root cause of this incident was a misconfiguration in the GitHub Actions workflow, which we have addressed. Specifically, the action in question used a floating tag, as opposed to a specific commit hash, and did not have a configured minimumReleaseAge for new packages. ## FAQ **Were OpenAI products or user data compromised?** No. We have found no evidence that OpenAI products or user data were compromised or exposed. **Have you seen malware signed as OpenAI?** No. We have found no evidence that the potentially exposed notarization and code signing material have been misused, and we have confirmed all notarization events with the impacted material were expected. **Do I need to change my password?** No. Passwords and OpenAI API keys were not affected. **Does this affect iOS, Android, Linux, or Windows?** No. This only affects OpenAI macOS apps. This does not affect the web versions of our software. **Why are you asking me to update my Mac apps?** OpenAI identified exposure in a GitHub Actions workflow involved in the macOS app-signing process. Because the exposed workflow was related to macOS app signing, we are proactively rotating the notarization and code signing material used for OpenAI macOS applications. Updating ensures you are running versions signed with our latest certificate. This certificate helps customers know that software comes from the legitimate developer, OpenAI. **Where do I download the updated macOS apps?** Only download OpenAI apps from in-app updates or the official webpages below: * [_ChatGPT_ (opens in a new window)](https://chatgpt.com/download/?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [_Codex_ (opens in a new window)](https://chatgpt.com/codex/?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [_Codex-cli_ (opens in a new window)](https://developers.openai.com/codex/cli) * [_Atlas_ (opens in a new window)](https://chatgpt.com/atlas?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) Do not install apps from links in emails, messages, ads, or third-party download sites. Be cautious of unexpected “OpenAI,” “ChatGPT,” or “Codex” installers sent through email, text, chat messages, ads, file-sharing links, or third-party download sites. **What happens after May 8, 2026?** Effective May 8, 2026, older versions of our macOS desktop apps will no longer receive updates or support, and may not be functional. These versions represent the earliest releases signed with our updated certificate: * ChatGPT Desktop: 1.2026.051 * Codex App: 26.406.40811 * Codex CLI: 0.119.0 * Atlas: 1.2026.84.2 **Why are you not revoking the certificate immediately?** We have worked to block any further notarization of macOS apps with the impacted notarization material. This means that any fraudulent app posing as an OpenAI app using the impacted certificate will lack notarization, and therefore will be blocked by default by macOS security protections unless a user explicitly bypasses those protections. Because new notarization with the previous certificate is blocked, and because the revocation may cause macOS to block new downloads and first-time launches of apps signed with the previous certificate, we are giving our users a 30-day window to update to minimize disruption. This window will help minimize user risk and allow impacted clients to update through built-in update mechanisms, ensuring they are appropriately remediated. We are working with our partners to monitor for any indicators of misuse of the signing certificate, and will accelerate the revocation timeline if we identify malicious activity during this window. * [2026](https://openai.com/news/?tags=2026) ## Author OpenAI ## Keep reading [View all](https://openai.com/news/)  [ Introducing OpenAI Privacy Filter ResearchApr 22, 2026 ](https://openai.com/index/introducing-openai-privacy-filter/)  [ Accelerating the cyber defense ecosystem that protects us all SecurityApr 16, 2026 ](https://openai.com/index/accelerating-cyber-defense-ecosystem/)  [ Trusted access for the next era of cyber defense SecurityApr 14, 2026 ](https://openai.com/index/scaling-trusted-access-for-cyber-defense/) Our Research * [Research Index](https://openai.com/research/index/) * [Research Overview](https://openai.com/research/) * [Research Residency](https://openai.com/residency/) * [Economic Research](https://openai.com/signals/) Latest Advancements * [GPT-5.4](https://openai.com/index/introducing-gpt-5-4/) * [GPT-5.3 Instant](https://openai.com/index/gpt-5-3-instant/) * [GPT-5.3-Codex](https://openai.com/index/introducing-gpt-5-3-codex/) * [GPT-5](https://openai.com/gpt-5/) Safety * [Safety Approach](https://openai.com/safety/) * [Security & Privacy](https://openai.com/security-and-privacy/) * [Trust & Transparency](https://openai.com/trust-and-transparency/) ChatGPT * [Explore ChatGPT(opens in a new window)](https://chatgpt.com/overview?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [Business](https://chatgpt.com/business/business-plan?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [Enterprise](https://chatgpt.com/business/enterprise?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [Education](https://chatgpt.com/business/education?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [Pricing(opens in a new window)](https://chatgpt.com/pricing?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) * [Download(opens in a new window)](https://chatgpt.com/download?openaicom-did=02a901ab-8085-451d-a19d-d26254c84827&openaicom_referred=true) Sora * [Sora Overview](https://openai.com/sora/) * [Features](https://openai.com/sora/#features) * [Pricing](https://openai.com/sora/#pricing) * [Sora log in(opens in a new window)](https://sora.com/) API Platform * [Platform Overview](https://openai.com/api/) * [Pricing](https://openai.com/api/pricing/) * [API log in(opens in a new window)](https://platform.openai.com/login) * [Documentation(opens in a new window)](https://developers.openai.com/api/docs) * [Developer Forum(opens in a new window)](https://community.openai.com/) For Business * [Business Overview](https://openai.com/business/) * [Solutions](https://openai.com/solutions/) * [Contact Sales](https://openai.com/contact-sales/) Company * [About Us](https://openai.com/about/) * [Our Charter](https://openai.com/charter/) * [Foundation(opens in a new window)](https://openaifoundation.org/) * [Careers](https://openai.com/careers/) * [Brand](https://openai.com/brand/) Support * [Help Center(opens in a new window)](https://help.openai.com/) More * [News](https://openai.com/news/) * [Stories](https://openai.com/stories/) * [Academy](https://openai.com/academy/) * [Livestreams](https://openai.com/live/) * [Podcast](https://openai.com/podcast/) * [RSS](https://openai.com/news/rss.xml) Terms & Policies * [Terms of Use](https://openai.com/policies/terms-of-use/) * [Privacy Policy](https://openai.com/policies/privacy-policy/) * [Other Policies ](https://openai.com/policies/) [(opens in a new window)](https://x.com/OpenAI)[(opens in a new window)](https://www.youtube.com/OpenAI)[(opens in a new window)](https://www.linkedin.com/company/openai)[(opens in a new window)](https://github.com/openai)[(opens in a new window)](https://www.instagram.com/openai/)[(opens in a new window)](https://www.tiktok.com/@openai)[(opens in a new window)](https://discord.gg/openai) OpenAI © 2015–2026Manage Cookies EnglishUnited States We use cookies We use cookies to help this site function, understand service usage, and support marketing efforts. Visit Manage Cookies to change preferences anytime. View our [Cookie Policy](https://openai.com/policies/cookie-policy/) for more info. Manage CookiesReject non-essentialAccept all