OpenAI flags Axios tool issue
OpenAI identified a security issue involving a third‑party developer tool called Axios and said user data was not accessed while it secures the process that certifies macOS apps as official OpenAI clients. (reuters.com)
OpenAI said on April 10 that a security issue in the Axios developer tool touched its Mac app signing process, but it found no evidence user data was accessed. (openai.com) The company said a malicious Axios package ran on March 31, 2026, inside a GitHub Actions workflow used to sign macOS apps including ChatGPT Desktop, Codex App, Codex Command Line Interface, and Atlas. That workflow had access to a certificate and notarization material used to prove those apps came from OpenAI. (openai.com) A signing certificate works like a digital ID card for software: Apple and users rely on it to tell a real app from an impostor. OpenAI said it is revoking and rotating that certificate and requiring all macOS users to update to newly signed versions. (openai.com) OpenAI said its analysis found the certificate was likely not successfully stolen because of the timing of the malicious code, how the certificate was injected into the job, and other safeguards. It still treated the certificate as compromised and said the older Mac app versions could stop working after May 8, 2026. (openai.com) The company said the issue did not affect passwords or OpenAI application programming interface keys, and it found no evidence its systems, intellectual property, or published software were altered. It also said the root cause was a misconfiguration in the GitHub Actions workflow and that the problem has been addressed. (cnbc.com) The Axios incident was part of a broader software supply chain attack, a type of breach in which attackers tamper with a widely used tool so the malware rides into many companies through routine updates. OpenAI said it hired a digital forensics and incident response firm and worked with Apple so software signed with the old certificate cannot be newly notarized. (openai.com) OpenAI published the earliest Mac versions signed with the new certificate: ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex Command Line Interface 0.119.0, and Atlas 1.2026.84.2. Users can update through the apps or through OpenAI’s official download pages. (openai.com) The immediate task for Mac users is simple: update before May 8 and make sure the app comes from OpenAI’s official channels. OpenAI’s response leaves the company replacing the digital ID cards for its Mac software before the old ones expire. (openai.com)
