OpenAI Issues Urgent Security Update for Mac Apps After Supply Chain Attack

The event involves the development and use of AI systems (OpenAI's ChatGPT Mac applications) and a security breach in the software supply chain that could plausibly lead to harm such as unauthorized access, counterfeit applications, or compromised user security. Although no actual harm (data breach, system compromise) was found, the incident posed a credible risk to the integrity and security of AI systems and their users. Therefore, it fits the definition of an AI Hazard rather than an AI Incident. The company's response and updates are mitigating the risk, but the event itself is about a plausible threat rather than realized harm.

The event involves AI systems (ChatGPT, Codex, etc.) and concerns a security vulnerability that could plausibly lead to harm if exploited, such as distribution of malicious software impersonating legitimate AI applications. However, since no actual harm or data breach has occurred yet, and the update is a precautionary action, this qualifies as an AI Hazard rather than an AI Incident. The event does not primarily focus on responses or broader ecosystem developments but on a specific potential security risk related to AI software.

An AI system (OpenAI's Mac applications including ChatGPT Desktop) is involved, and the incident stems from a security breach in the development and deployment process (software supply chain compromise affecting signing certificates). Although no direct harm (data theft or malicious app distribution) has been confirmed, the compromised certificates could plausibly lead to an AI Incident if attackers used them to distribute fraudulent apps that harm users (e.g., stealing data or credentials). Since the harm is not confirmed but the risk is credible and significant, this qualifies as an AI Hazard rather than an AI Incident. The article focuses on the potential risk and mitigation steps rather than reporting realized harm.

The event involves an AI system (ChatGPT macOS apps) and a security incident related to the software supply chain (certificate compromise). While this could plausibly lead to harm if malicious apps were distributed, OpenAI states no evidence of such harm occurred. The main focus is on the risk and mitigation steps, not on realized harm. Therefore, this qualifies as an AI Hazard because it plausibly could have led to an AI Incident but did not result in actual harm as per the information provided. It is not Complementary Information because it reports a new event with potential risk, nor is it unrelated since it concerns AI system security.

The article involves AI systems (ChatGPT, Codex) and their software updates, but the issue stems from a third-party tool vulnerability rather than a malfunction or misuse of the AI systems themselves. No realized harm or violation of rights has occurred, and the update is a precaution to prevent possible future risks. Therefore, this is not an AI Incident or AI Hazard but rather Complementary Information about a security response and mitigation effort related to AI products.

An AI system is involved as OpenAI's applications (ChatGPT Desktop, Codex, Codex-cli, Atlas) are AI systems. The event stems from a security breach in the development and deployment pipeline (GitHub Actions workflow) that indirectly exposed signing certificates. Although no direct harm to users or systems has been confirmed, the exposure of signing certificates could plausibly lead to an AI Incident if exploited to distribute malicious or falsified AI software. However, since no actual harm or misuse has been reported and the company has taken corrective actions, this event represents a potential risk rather than realized harm. Therefore, it qualifies as Complementary Information, providing important context and updates on a security incident related to AI systems but not constituting an AI Incident or AI Hazard itself.