OpenAI issues Mac app update after developer tool hit by supply chain attack

April 14, 20262 min read2 sources
Share:
OpenAI issues Mac app update after developer tool hit by supply chain attack

OpenAI has released a precautionary update for its macOS desktop application after an internal developer tool was found to have incorporated a malicious version of a popular open-source library. The company confirmed that no user data or credentials were compromised.

The incident originated on February 14 when a compromised version (5.0.0) of the widely used npm package `http-proxy-agent` was published. Security firm Snyk, which analyzed the package, reported that the malicious code was designed to steal sensitive information from developer environments. The code specifically targeted environment variables, searching for credentials such as AWS access keys, GitHub tokens, and Slack API tokens, and sending them to a remote server.

OpenAI stated that a tool used in the development process for its Mac app automatically retrieved the malicious package during the brief window it was available. Upon discovering the integration, the company launched an internal investigation and concluded that the integrity of its systems and software was not impacted. The update was issued to ensure the application's code was completely free of the tainted dependency.

This event underscores the persistent threat of software supply chain attacks, where attackers compromise a single component to affect numerous downstream users. The malicious version of `http-proxy-agent` was quickly identified by security researcher Maciej Mensfeld and removed from the npm registry, limiting the potential damage. Developers and organizations that may have downloaded the compromised package are urged to rotate any potentially exposed credentials immediately.

Share:

// SOURCES

// RELATED

Meta settles bellwether lawsuit alleging addictive design harmed student mental health

Meta's confidential settlement with a Washington school district marks a pivotal moment in the massive litigation against social media's psychological

6 min readMay 24

Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network

A sophisticated zero-day attack on Huawei routers allegedly caused Luxembourg's 2023 national telecom outage, raising severe global security concerns.

6 min readMay 23

MiniPlasma Windows 0-day enables SYSTEM privilege escalation on fully patched systems

A newly disclosed 0-day flaw, MiniPlasma, allows attackers to gain full SYSTEM control on patched Windows systems, with a public PoC accelerating risk

6 min readMay 18

The ransomware dilemma: why more than half of security chiefs would pay the price

A new survey reveals 56% of CISOs would consider paying a ransom, highlighting the intense pressure to restore operations despite official guidance.

6 min readMay 16