OpenAI flags third‑party flaw

OpenAI said on April 10 it found a security issue tied to Axios, a third-party developer library, and said it found no evidence user data was accessed. (openai.com) The company said the issue affected the process used to certify that its macOS apps are legitimate OpenAI software. OpenAI said all macOS users should update to the latest versions of ChatGPT Desktop, Codex App, Codex Command Line Interface, and Atlas. (openai.com) Axios is a software library, a reusable code package developers plug into apps and build systems instead of writing every function from scratch. OpenAI said a compromised Axios package was downloaded and executed by a GitHub Actions workflow in its macOS app-signing pipeline on March 31, 2026, Coordinated Universal Time. (openai.com) That workflow had access to a code-signing certificate and notarization material used for OpenAI’s macOS apps. A code-signing certificate is the digital equivalent of a company seal; OpenAI said it is revoking and rotating that certificate even though its analysis found the malicious payload likely did not successfully steal it. (openai.com) OpenAI said it found no evidence that its systems or intellectual property were compromised, and no evidence its published software was altered. It also said it reviewed notarization tied to the older certificate and found no unexpected software notarization. (openai.com) The practical effect is a cutoff date for older Mac software. OpenAI said that effective May 8, 2026, older versions of its macOS desktop apps will no longer receive updates or support and may stop functioning. (openai.com) OpenAI listed the earliest macOS releases signed with the updated certificate: ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex Command Line Interface 0.119.0, and Atlas 1.2026.84.2. The company said users can update through in-app prompts or official OpenAI download links. (openai.com) The incident lands as OpenAI is pushing more desktop and developer tooling on Apple devices. Its help center says the macOS app has added features such as project support, app integrations, and code-editing workflows, widening the role those signed desktop apps play in day-to-day use. (help.openai.com) OpenAI’s developer documentation also shows how its products now connect to outside tools and data sources through Model Context Protocol servers, part of a broader push to make ChatGPT and related apps work with third-party systems. That makes the integrity of build and signing pipelines more important, because users rely on certificates to tell authentic software from fakes. (developers.openai.com; openai.com) OpenAI said it hired a third-party digital forensics and incident response firm and is working with Apple to block newly notarized software signed with the previous certificate. For Mac users, the immediate step is simpler: install the newer signed versions before the May 8 cutoff. (openai.com)