OpenAI macOS security alert
OpenAI said it identified a security issue tied to a third‑party developer tool used in certifying its macOS apps and stated it found no evidence user data was accessed. (tech.yahoo.com) OpenAI has been revoking certificates and urging macOS users to update apps, with older versions reportedly losing support after May 8. (timesnownews.com)
OpenAI is telling Mac users to update its desktop apps after a compromised developer tool touched the company’s app-signing workflow on March 31. (openai.com) App signing is the digital stamp that tells macOS a program really came from the named developer. OpenAI said a GitHub Actions workflow in that process downloaded a malicious version of the Axios library, version 1.14.1, during a broader software supply chain attack. (openai.com) The workflow had access to a certificate and notarization material used to sign ChatGPT Desktop, the Codex app, Codex Command Line Interface, and Atlas for macOS. OpenAI said its investigation found no evidence that user data was accessed, its systems or intellectual property were compromised, or its software was altered. (openai.com) A signing certificate works like an official seal on a package: if someone steals it, they may be able to make fake software look real. OpenAI said it believes the certificate was likely not successfully exfiltrated, but it is revoking and rotating the certificate anyway. (openai.com) That certificate change forces a practical deadline for users. OpenAI said that effective May 8, 2026, older versions of its macOS desktop apps will no longer receive updates or support and “may not be functional.” (openai.com) The earliest versions signed with the new certificate are ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex Command Line Interface 0.119.0, and Atlas 1.2026.84.2. OpenAI said Mac users should update through the apps themselves or through its official download pages. (openai.com) OpenAI also said it hired a third-party digital forensics and incident response firm, reviewed notarization records tied to the old certificate, and worked with Apple so software signed with the previous certificate cannot be newly notarized. (openai.com) The company’s support pages show related changes for corporate Mac fleets. A help article updated April 12 says the Team ID stayed the same, 2DC432GLL2, but the signing organization name changed to “OpenAI OpCo, LLC,” and any allowlist that checks certificate fingerprints or organization names must be updated. (help.openai.com) For individual users, the immediate effect is narrower: install the latest Mac builds before May 8 and stop using older signed versions. For information technology teams, the cleanup also includes updating allowlists and certificate checks so legitimate OpenAI apps keep working after the rotation. (openai.com; help.openai.com)
