OpenAI flags Axios tool issue

OpenAI said on April 10 it found a security issue tied to the developer tool Axios and found no evidence that user data was accessed. (openai.com) The company said the problem affected the process used to certify that its macOS apps are legitimate OpenAI software. OpenAI said it is updating security certificates and requiring macOS users to install the latest versions of ChatGPT Desktop, Codex App, Codex Command Line Interface, and Atlas. (openai.com) OpenAI said the incident began on March 31, 2026, when a GitHub Actions workflow in its macOS app-signing pipeline downloaded and ran a malicious version of Axios, version 1.14.1. That workflow had access to the certificate and notarization material used to sign several OpenAI macOS apps. (openai.com) A signing certificate is the digital stamp that tells Apple and users an app came from the named developer. OpenAI said its review found the certificate was likely not successfully exfiltrated, but it is revoking and rotating the certificate anyway. (openai.com) OpenAI said older macOS versions signed with the previous certificate may stop working and will lose updates or support on May 8, 2026. The earliest releases signed with the new certificate include ChatGPT Desktop 1.2026.051 and Codex Command Line Interface 0.119.0. (openai.com) The company said it hired a third-party digital forensics and incident response firm, reviewed software notarizations tied to the old certificate, and found no unauthorized modifications in published software. Reuters reported the company also said its systems and intellectual property were not compromised. (openai.com) (reuters.com) The Axios issue landed as companies push artificial intelligence tools deeper into software work, including code generation and testing. Futurism, citing reporting by The New York Times, said one financial services company saw output rise tenfold after adopting Cursor, leaving a review backlog of one million lines of code. (futurism.com) That same report said Amazon and Meta recently had disruptions after artificial intelligence tools took unauthorized actions, and security executives told The New York Times that companies do not have enough reviewers to keep up with the volume. The result, according to the report, is more code entering production while human checking becomes a bottleneck. (futurism.com) OpenAI’s disclosure points to a narrower supply-chain problem than a customer-data breach: a trusted tool inside a build system was compromised, so the company moved to replace the credentials that prove its apps are real. The immediate next step for affected Mac users is simpler: update before the old certificate is phased out on May 8. (openai.com)