OpenAI macOS security alert

OpenAI is telling macOS users to update its desktop apps by May 8 after a security issue touched the system that proves those apps are genuine. (openai.com) OpenAI said the problem began on March 31, 2026, when Axios, a third-party developer library, was compromised in a broader software supply chain attack. A GitHub Actions workflow in OpenAI’s macOS app-signing process then downloaded and ran the malicious Axios version 1.14.1. (openai.com) That workflow had access to a certificate and notarization material used to sign ChatGPT Desktop, Codex, Codex Command-Line Interface, and Atlas for macOS. OpenAI said it found no evidence that user data was accessed, its systems or intellectual property were compromised, or its software was altered. (openai.com) (cnbc.com) Code-signing certificates are the digital IDs that let macOS verify an app really came from its stated developer. OpenAI said it is rotating those certificates so someone cannot try to distribute a fake app that appears to come from OpenAI. (openai.com) (cybernews.com) The deadline matters because OpenAI said older macOS app versions will stop working after May 8, 2026, unless users install the latest releases. Reports on April 11 and April 12 said the update applies to OpenAI’s Mac apps rather than its web service, Windows software, or Android apps. (openai.com) (moneycontrol.com) (help.openai.com) Software supply chain attacks work by poisoning a tool developers trust, then letting that bad code flow into other companies’ build systems. OpenAI said the compromised component was not its own app code, but a dependency used during the workflow that signs Mac software for release. (openai.com) Axios is widely used in JavaScript projects to handle web requests, which is why a compromised release can spread quickly through automated build pipelines. OpenAI said the affected workflow was part of how it prepared Mac apps for distribution, not how customers used ChatGPT itself. (openai.com) (aol.com) The Mac apps named by OpenAI span both consumer and developer tools: ChatGPT Desktop for general use, Codex and Codex Command-Line Interface for coding work, and Atlas. OpenAI’s developer documentation describes the Codex app as a macOS desktop product and says the app is available on Apple Silicon Macs. (openai.com) (developers.openai.com) OpenAI’s public response has been narrow and specific: rotate the certificates, ship fresh app builds, and have Mac users update before the old trust chain expires on May 8. For users, the practical step is the same as the opening warning: install the latest OpenAI macOS app versions. (openai.com)