OpenAI macOS security alert
OpenAI disclosed a security issue tied to a third‑party developer tool and told macOS users to update ChatGPT and Codex apps, with older app versions having their certificates revoked and losing support after May 8. OpenAI said user data was not accessed but advised urgent updates to restore verified app status. (reuters.com)
OpenAI is telling macOS users to update ChatGPT and Codex now after a supply-chain security scare touched the company’s app-signing system. (openai.com) OpenAI said a GitHub Actions workflow in its macOS signing process downloaded and ran a malicious version of Axios on March 31, 2026 Coordinated Universal Time. That workflow had access to the certificate and notarization material used to sign ChatGPT Desktop, Codex, Codex Command Line Interface, and Atlas for macOS. (openai.com) A signing certificate is the digital stamp that tells a Mac an app really came from a named developer. OpenAI said it has now rotated those certificates, and older app versions will lose updates and support after May 8, 2026. (openai.com) OpenAI said it found no evidence that user data was accessed, its systems or intellectual property were compromised, or its shipped software was altered. Reuters and CNBC reported the company described the move as a precaution to prevent fake apps from appearing legitimate. (reuters.com, cnbc.com) The issue sits inside a software supply-chain attack, where attackers tamper with a trusted building block instead of attacking a company directly. OpenAI said the compromised tool was Axios, a widely used JavaScript library, and that the incident was part of a broader industry attack disclosed on March 31. (openai.com, axios.com) For Mac users, the practical change is simple: update to versions signed with OpenAI’s new certificate or the apps may stop working as expected after May 8. OpenAI said users can restore verified app status by installing the latest releases from official channels. (openai.com, 9to5mac.com) OpenAI’s notice covers ChatGPT Desktop, Codex, Codex Command Line Interface, and Atlas on macOS. The company said the certificate change was made “out of an abundance of caution,” even though it had not seen evidence that attackers used the material to distribute malicious OpenAI apps. (openai.com, axios.com) The deadline gives OpenAI a cutoff for retiring the old trust chain and pushing users onto newly signed builds. For anyone using OpenAI tools on a Mac, the company’s message is to update before Thursday, May 8, 2026. (openai.com)
