macOS OpenAI update urged
OpenAI warned macOS users to update its apps after identifying a security issue tied to a misconfigured GitHub Actions workflow and a compromised third‑party library. The company said it corrected the configuration and urged users to install updates by May 8. (timesnownews.com)
OpenAI told Mac users to update its desktop apps after a software supply chain attack touched the company’s app-signing process. (openai.com) The issue started on March 31, 2026, when a GitHub Actions workflow in OpenAI’s macOS signing pipeline downloaded Axios 1.14.1, a compromised version of a widely used developer library. That workflow had access to signing certificates and Apple notarization material for ChatGPT Desktop, Codex, Codex Command Line Interface, and Atlas. (openai.com) Code-signing is the digital seal that tells macOS an app came from a known developer, and notarization is Apple’s extra malware check before the app runs. OpenAI said it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that any shipped app was modified. (openai.com; cnbc.com) OpenAI said it corrected the GitHub Actions configuration, revoked and rotated the affected certificates, and rebuilt the impacted macOS apps with new signing material. The company told users to install the latest versions by May 8, 2026, and said older versions may stop working after that date. (openai.com; 9to5mac.com) GitHub says its hosted runners do not scan code a workflow downloads during a job, including a malicious third-party package. That means a poisoned dependency can slip into an automated build step even when the underlying GitHub runner is functioning as designed. (docs.github.com) OpenAI’s disclosure places the incident in a broader pattern of supply chain attacks, where attackers tamper with a shared software component so downstream companies pull in the bad code automatically. Axios is a common JavaScript networking library, which made the March 31 compromise more dangerous for teams that used it in build systems. (openai.com; forbes.com) The company’s public guidance is narrower than a general breach notice: it applies to macOS apps tied to the affected signing workflow, not ChatGPT on the web, Windows, or Android. OpenAI’s Mac app release notes and support pages show the company maintains separate platform-specific update tracks for desktop software. (help.openai.com; help.openai.com) For users, the practical step is simple: update the Mac apps now and avoid waiting for the May 8 cutoff. OpenAI said the malicious library was removed, the credentials were replaced, and the rebuilt apps are the versions it wants people running. (openai.com)
