OpenAI rotates macOS certificates
OpenAI disclosed a security issue tied to a third‑party developer tool affecting its macOS apps and has rotated app‑signing certificates while urging users to update their desktop apps. The company said no user data or internal systems were breached and that remediation is focused on certificate rotation and app updates. (siliconrepublic.com, tekedia.com)
OpenAI is rotating the certificates that prove its Mac apps are genuine after a tainted developer tool touched its app-signing pipeline on March 31. (openai.com) The company said a GitHub Actions workflow in its macOS signing process downloaded and ran a malicious version of Axios, version 1.14.1, during a broader software supply chain attack. That workflow had access to a certificate and notarization materials used to sign ChatGPT Desktop, Codex, Codex-cli, and Atlas for macOS. (openai.com) OpenAI said it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that its software was altered. The company disclosed the issue on April 10 and said all macOS users need the latest versions of its desktop apps. (openai.com) (cnbc.com) A code-signing certificate works like a digital passport for an app: it tells macOS that software really came from the named developer. Apple’s notarization system adds a second check, scanning software before it runs on a Mac. (openai.com) (support.apple.com) OpenAI said rotating those credentials is meant to block “any risk” that someone could try to distribute a fake app that appears to come from OpenAI. Older macOS versions of its apps may stop working after May 8, 2026, if users do not update. (openai.com) (business-standard.com) The incident sits inside a wider attack on the JavaScript package ecosystem. The Hacker News reported that attackers compromised an account belonging to an Axios maintainer and pushed a malicious release that could give remote access on Windows, macOS, and Linux systems. (thehackernews.com) (theverge.com) OpenAI said timing and technical safeguards made successful theft of its signing materials unlikely, but it still revoked and replaced the affected credentials. Security researchers at Socket said the case shows how a compromised open-source package can spill into downstream software distribution pipelines. (openai.com) (socket.dev) For Mac users, the practical change is simple: update OpenAI’s desktop apps before the old certificates are retired. OpenAI said the fix is precautionary, but it is treating the signing chain as if trust must be rebuilt from scratch. (openai.com)
