OpenAI has released a precautionary update for its macOS desktop application after an internal developer tool was found to have incorporated a malicious version of a popular open-source library. The company confirmed that no user data or credentials were compromised.
The incident originated on February 14 when a compromised version (5.0.0) of the widely used npm package `http-proxy-agent` was published. Security firm Snyk, which analyzed the package, reported that the malicious code was designed to steal sensitive information from developer environments. The code specifically targeted environment variables, searching for credentials such as AWS access keys, GitHub tokens, and Slack API tokens, and sending them to a remote server.
OpenAI stated that a tool used in the development process for its Mac app automatically retrieved the malicious package during the brief window it was available. Upon discovering the integration, the company launched an internal investigation and concluded that the integrity of its systems and software was not impacted. The update was issued to ensure the application's code was completely free of the tainted dependency.
This event underscores the persistent threat of software supply chain attacks, where attackers compromise a single component to affect numerous downstream users. The malicious version of `http-proxy-agent` was quickly identified by security researcher Maciej Mensfeld and removed from the npm registry, limiting the potential damage. Developers and organizations that may have downloaded the compromised package are urged to rotate any potentially exposed credentials immediately.
