macOS cert problem for OpenAI apps
Security researchers warned that older ChatGPT, Codex and macOS OpenAI apps will stop working after May 8 because revoked certificates from a supply‑chain incident will invalidate those app builds, and users were urged to update to patched versions. The advisory said no user data was lost in the incident. (X/Twitter post by The Hacker News)
OpenAI is telling Mac users to update ChatGPT, Codex, Codex CLI and Atlas before May 8 or older app builds may stop working. (openai.com) The company said a malicious version of the Axios developer library ran inside a GitHub Actions workflow on March 31, 2026, during its macOS app-signing process. That workflow had access to the certificate and notarization material used to sign those four Mac apps. (openai.com) A signing certificate is the digital ID that tells macOS an app really came from its developer. OpenAI said it revoked and rotated that certificate after the incident, which means older builds signed with the old credentials will be invalidated after May 8, 2026. (openai.com) OpenAI said it found no evidence that user data was accessed or exfiltrated. The company described the step as a precaution meant to prevent misuse of the compromised signing materials. (openai.com) The warning applies to Mac software, not the ChatGPT web app, Windows app or Android app. OpenAI’s Help Center separately said ChatGPT Mac and iOS access problems tied to certificate changes do not affect the web client, Windows or Android users. (openai.com) (help.openai.com) OpenAI told users to install the latest releases issued on April 10, 2026. 9to5Mac reported the company framed the update as necessary “out of an abundance of caution” after the third-party tool incident. (9to5mac.com) The affected software spans both consumer and developer tools. OpenAI’s documentation says the Codex app is available on macOS, and its Help Center lists a dedicated macOS app collection for ChatGPT. (developers.openai.com) (help.openai.com) The broader issue was a software supply-chain attack, where attackers tamper with a trusted component used by many developers. The Hacker News reported the compromised Axios package versions included a remote-access trojan and linked the campaign to North Korean threat actors. (thehackernews.com) For Mac users, the practical deadline is May 8: update now, or risk having ChatGPT, Codex, Codex CLI or Atlas stop launching with the revoked certificate. (openai.com)
