OpenAI supply-chain flaw

OpenAI said on April 10 that a compromised software component briefly touched its Mac app signing pipeline, and it is rotating certificates as a precaution. (openai.com) The company said it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that its software was altered. All macOS users must update OpenAI apps to the latest versions, the company said. (openai.com) The issue traces to March 31, 2026, when a GitHub Actions workflow in OpenAI’s macOS app-signing process downloaded Axios version 1.14.1, a malicious release of a widely used JavaScript library. That workflow had access to the certificate and notarization material used for ChatGPT Desktop, Codex, Codex Command Line Interface, and Atlas. (openai.com) A code-signing certificate is the digital stamp that tells a Mac an app really came from the developer it claims to be. OpenAI said the main risk was that a stolen certificate could help a fake app appear to be an official OpenAI download. (openai.com; axios.com) OpenAI said its analysis found the certificate was “likely not successfully exfiltrated” because of the timing of the malicious payload, when the certificate was injected into the job, and the sequence of the workflow itself. Even so, the company said it is revoking and rotating the certificate. (openai.com) The company said Apple is helping ensure software signed with the previous certificate cannot be newly notarized, and OpenAI said it reviewed prior notarizations for unexpected activity. It also said it hired a third-party digital forensics and incident response firm during the investigation. (openai.com) Older Mac versions signed with the previous certificate will stop receiving updates or support on May 8, 2026, and “may not be functional,” OpenAI said. The earliest replacement builds are ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex Command Line Interface 0.119.0, and Atlas 1.2026.84.2. (openai.com) The Axios incident was part of a broader supply-chain attack, a type of breach that targets a trusted building block instead of the final company directly. Microsoft said on April 1 that the malicious Axios releases were tied to Sapphire Sleet, a North Korea-linked threat actor. (microsoft.com) Security researchers and the Axios maintainers said the malicious npm releases were versions 1.14.1 and 0.30.4, and they were available only briefly before removal. Snyk said Axios is downloaded more than 100 million times a week, which is why a short-lived package compromise can still ripple into build systems across the industry. (github.com; snyk.io) OpenAI said the root cause on its side was a misconfiguration in the GitHub Actions workflow, and CNBC reported that passwords and OpenAI application programming interface keys were not affected. The immediate fix for Mac users is simpler: update every OpenAI desktop app before May 8. (cnbc.com; openai.com)