OpenAI macOS security alert

A Mac app carries a kind of digital passport that tells your computer who made it, and OpenAI just said the passport for some of its Mac software may have been exposed inside an automated build system on March 31, 2026. OpenAI says it found no evidence that user data was accessed, that software was changed, or that the certificate was actually stolen. (openai.com) The immediate effect for users is simple: update every OpenAI Mac app you use before May 8, 2026. After that date, older versions will stop getting updates or support and may stop working. (openai.com) The tool at the center of this was Axios, a popular software library that developers use to let one program talk to another over the internet. Microsoft said malicious Axios versions 1.14.1 and 0.30.4 were published on March 31, 2026, in a wider software supply chain attack it attributed to Sapphire Sleet, a North Korean state actor. (microsoft.com) OpenAI says one of its GitHub Actions workflows downloaded Axios 1.14.1 during the process that signs Mac apps. GitHub Actions is GitHub’s automation system for running build jobs, so this was not a customer’s Mac downloading malware directly but an internal assembly line touching a tainted part. (openai.com) (docs.github.com) That signing step matters because macOS checks whether software was signed by a known developer before it lets it run cleanly outside the Mac App Store. Apple says Developer ID signing helps Gatekeeper verify the app’s source, and Apple’s notarization service then scans the software for malicious content before distribution. (developer.apple.com 1) (developer.apple.com 2) OpenAI says the workflow that touched the bad Axios package had access to a certificate and notarization material used for ChatGPT Desktop, Codex, Codex command line interface, and Atlas. In plain English, that means the risky part was the stamp used to prove an app was really from OpenAI. (openai.com) The company’s own analysis says the malicious payload likely did not manage to exfiltrate that stamp because of timing, how the certificate was injected into the job, and the order of steps in the workflow. Even so, OpenAI is treating the certificate as compromised and replacing it anyway. (openai.com) That is why this is less about stolen chats and more about fake apps. OpenAI says the update is meant to block the unlikely case that someone could distribute a bogus Mac app that appears to come from OpenAI. (openai.com) (axios.com) OpenAI says it has already rotated the Mac code-signing certificate, shipped new builds, reviewed past notarization records for anything unexpected, and worked with Apple so software signed with the old certificate cannot be newly notarized. That closes off the main route an attacker would want if they were trying to make a counterfeit app look official after the fact. (openai.com) The cutoff versions are specific. OpenAI says the earliest safe releases signed with the new certificate are ChatGPT Desktop 1.2026.071, Codex App 26.406.40811, Codex command line interface 0.119.0, and Atlas 1.2026.84.2. (openai.com) So if you use OpenAI software on a Mac, the checklist is short: update through the app itself or through OpenAI’s official download pages, and do it before Thursday, May 8, 2026. The story here is not that OpenAI found stolen passwords; it is that a software factory touched a poisoned component and is swapping out the factory seal before anyone can misuse it. (openai.com)