OpenAI flags macOS supply‑chain issue

OpenAI told macOS users to update ChatGPT, Codex, Codex Command Line Interface, and Atlas after a compromised developer tool touched its app-signing pipeline. (openai.com) The company said on April 10, 2026 that a GitHub Actions workflow in its macOS signing process downloaded a malicious version of Axios, version 1.14.1, on March 31, 2026 Coordinated Universal Time. That workflow had access to the certificate and notarization material used to sign ChatGPT Desktop, Codex, Codex Command Line Interface, and Atlas for Apple computers. (openai.com) App signing is the digital seal that tells a Mac a program really came from the named developer. OpenAI said it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that its published software was altered. (openai.com) The immediate risk was not a breach of ChatGPT conversations or application programming interface keys, but the chance that a stolen signing certificate could help make a fake app look legitimate. OpenAI said passwords and OpenAI application programming interface keys were not affected. (cnbc.com) OpenAI said its analysis found the certificate was likely not successfully exfiltrated because of the timing of the malicious payload, when the certificate was injected into the job, and other safeguards. It said it is still treating the certificate as compromised and is revoking and rotating it. (openai.com) The company also said Apple is helping ensure software signed with the previous certificate cannot be newly notarized. OpenAI said it reviewed notarization activity tied to the old certificate and found no unexpected software notarization with those keys. (openai.com) This incident sits inside a software supply-chain attack, where attackers tamper with a shared component used by many companies instead of breaking into each one directly. Reuters and CNBC reported that OpenAI linked the broader Axios compromise to actors believed to be associated with North Korea. (reuters.com) (cnbc.com) OpenAI set May 8, 2026 as the cutoff for older macOS builds signed with the previous certificate. After that date, older versions will no longer receive updates or support and may stop functioning. (openai.com) The earliest versions signed with the new certificate are ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex Command Line Interface 0.119.0, and Atlas 1.2026.84.2. OpenAI said macOS users should update through the in-app updater or the company’s official download pages. (openai.com)