Urgent security warning from OpenAI for Mac users

 

ChatGBT 

Urgent security warning from OpenAI for Mac users

OpenAI has urged users of its macOS applications, including ChatGBT and Codex, to install new versions after several employee devices were hacked.
The attack targeted an open-source software library called Tanstack, a widely used web development library. On Monday, an attacker distributed 84 malicious code instances across 42 Tanstack npm packages, which function as pre-built software.

Some of the affected Tanstack software receives millions of downloads per week, meaning this breach could have affected a large number of projects and users, according to a report by PCMag, a technology news website, which was reviewed by Al Arabiya Business.

Security researchers were able to detect the malicious versions within the first 20 minutes and remove them. However, had this malware been installed, it would have downloaded malicious software capable of stealing developers' credentials for cloud computing accounts.

What is the connection to "OpenAI" applications?

OpenAI said that two computers belonging to employees with access to the "company environment" had installed malicious versions of the "Tanstack" software, prompting the company to launch an investigation.

The company said in a blog post: "We found no evidence of access to OpenAI user data, breaches of our production or intellectual property systems, or modification of our software."
However, OpenAI detected activity consistent with the described behavior of malware, including unauthorized access and credential-focused data mining activity, in a limited subset of internal source code repositories that affected employees could access.

Source code repositories contain special signing certificates, which OpenAI uses to indicate that its applications are genuine and trustworthy. If these certificates are stolen, hackers can present malware as a trusted OpenAI product, bypassing the security mechanisms in operating systems.

The company said: "The affected source code repositories included signing certificates for our products, including iOS, macOS, and Windows systems. As a result, we are currently rotating code signing certificates as a precautionary measure, which will require macOS users to update their applications."

She added: "Windows and iOS users do not need to take any action. Further guidance will be provided to macOS users regarding these required updates."
Recommendations for users
OpenAI appears concerned that stolen signature keys could be used to distribute malware to macOS users. Therefore, OpenAI stated in its alert: "This helps prevent any risk, however unlikely, of an attempt to distribute a fake application that appears to be from OpenAI."

The company also warned Mac users, saying: "Do not install applications from links in emails, text messages, ads, or third-party download sites. Be wary of unexpected installers named 'OpenAI', 'ChatGPT', or 'Codex' that are sent via mail, messages, chat, ads, file-sharing links, or unofficial download sites."

So far, the company said it "has found no evidence of malicious software being signed using any of the OpenAI certificates."
However, the company plans to completely revoke the certificates on June 12, meaning that "downloads and runs of applications signed with the previous certificate will be blocked by macOS security systems."

Therefore, macOS users are advised to update via in-app updates or through the company's official download links.
OpenAI refrained from immediately revoking macOS certificates to avoid technical problems for Mac users due to Apple's authentication system.