OpenAI warns of third‑party installer bug

OpenAI told macOS users on April 10 to update its desktop apps after a compromised coding package touched the system it uses to prove those apps are genuine. (openai.com) The company said a GitHub Actions workflow in its macOS signing process downloaded a malicious version of Axios on March 31, 2026. That workflow had access to the certificate and notarization material used for ChatGPT Desktop, Codex App, Codex Command Line Interface, and Atlas. (openai.com) A signing certificate is the digital stamp that tells Apple and users a program really came from its developer. OpenAI said it found no evidence that user data was accessed, its systems or intellectual property were compromised, or its shipped software was altered. (openai.com) The company is revoking the old certificate and issuing a new one, even though its investigation concluded the certificate was likely not successfully stolen. OpenAI said the timing of the malicious code, the way the certificate was injected into the job, and the order of steps in the workflow reduced that risk. (openai.com) This was a software supply chain attack, which means the weak point was a shared tool used during development rather than OpenAI’s consumer systems. Microsoft said two poisoned Axios releases, versions 1.14.1 and 0.30.4, were published on March 31 and pulled second-stage malware from attacker-controlled servers. (microsoft.com) Microsoft attributed the Axios compromise to Sapphire Sleet, a North Korean state actor, and said the malicious packages targeted macOS, Windows, and Linux machines. OpenAI said the Axios incident was part of that broader industry attack. (microsoft.com, openai.com) For users, the practical change is simple: update every affected OpenAI app on a Mac. OpenAI said older versions will stop receiving updates or support on May 8, 2026, and may stop working after that date. (openai.com) OpenAI listed these earliest versions signed with the new certificate: ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex Command Line Interface 0.119.0, and Atlas 1.2026.84.2. The company said updates should come through the app itself or its official download pages. (openai.com) OpenAI also said passwords and OpenAI application programming interface keys were not affected. The company said it hired a third-party digital forensics and incident response firm, reviewed notarized software tied to the old certificate, and found no unexpected notarization or unauthorized changes in published apps. (openai.com) The episode leaves OpenAI describing a narrow but serious risk: not stolen chats or hacked servers, but the chance that a fake Mac app could appear to carry OpenAI’s badge. Its fix is to replace that badge before attackers can try to use it. (openai.com)