OpenAI macOS security alert
OpenAI identified a vulnerability tied to a third‑party developer tool called Axios that could affect how its macOS apps are validated, and it said user data was not accessed while advising macOS users to update their apps. OpenAI described the issue as related to the process that certifies legitimate OpenAI macOS applications. (reuters.com)
OpenAI told macOS users to update their apps after it found a security issue tied to Axios, a developer tool used in its software pipeline. (openai.com) The company said on April 10, 2026 that it found no evidence user data was accessed, its systems or intellectual property were compromised, or its software was altered. It said the risk involved the process used to certify that its macOS apps are legitimate OpenAI software. (openai.com) That certification works like a digital seal from Apple and the developer: it helps macOS decide whether an app is authentic and safe to run. OpenAI said it is rotating and updating those security certificates and requires macOS users to install the latest versions of OpenAI apps. (openai.com) The trigger was a broader software supply-chain attack disclosed on March 31, 2026, when attackers slipped malicious code into published versions of Axios, a widely used JavaScript networking library. Microsoft said the tainted releases were Axios versions 1.14.1 and 0.30.4. (microsoft.com) Microsoft attributed that Axios compromise to Sapphire Sleet, a North Korean state actor, and said the malicious packages tried to contact attacker-controlled servers after installation. The company said the bad versions were removed, but developers who downloaded them needed to investigate their environments. (microsoft.com) OpenAI said one of its internal tools downloaded a compromised Axios update, creating a path by which an attacker could have tried to steal a certificate and use it to make a fake OpenAI app appear genuine. OpenAI said it has not seen evidence that happened. (axios.com) Reuters reported on April 11 that OpenAI’s response was focused on protecting macOS app validation rather than cleaning up a user-data breach. CNBC reported the same day that the company’s statement covered user data, systems, intellectual property and software integrity, all of which OpenAI said showed no evidence of compromise. (reuters.com) (cnbc.com) The warning reaches beyond ChatGPT Desktop. Forbes reported that OpenAI’s macOS certificate changes affect ChatGPT Desktop, the Codex app, Codex Command Line Interface and Atlas, and that users who do not update will eventually lose access as old certificates are revoked. (forbes.com) OpenAI’s public advice was simple: update every OpenAI app on macOS to the latest version so the new certificates replace the old ones. The company said those steps are meant to reduce the chance that someone could distribute a fake OpenAI app that passes as real. (openai.com)
