admin 
OpenAI has told users of its Mac software to update their applications after a third-party supply-chain incident touched the company’s app-signing workflow, prompting a wider effort to replace security certificates and tighten the process that proves its desktop software is authentic. The company said there is no evidence that user data was accessed, that passwords or API keys were exposed, or that its systems, intellectual property or software were altered.
The issue centres on Axios, a widely used JavaScript library for handling web requests, not the US media company with the same name. OpenAI said a GitHub Actions workflow involved in signing Mac applications downloaded and executed a malicious version of Axios, version 1.14.1, on March 31, 2026 UTC. That workflow had access to certificate and notarisation material used for Mac software including ChatGPT Desktop, Codex, Codex CLI and Atlas. OpenAI’s internal review found the signing certificate was likely not successfully exfiltrated, but it decided to treat the material as compromised and rotate it anyway.
That decision matters because code-signing certificates sit at the heart of software trust on Apple devices. When a legitimate developer signs an app, macOS uses that signature and Apple’s notarisation process to help users distinguish genuine software from counterfeits. OpenAI said the central danger in this case was not a breach of customer accounts or model infrastructure, but the possibility that an attacker could have tried to sign a fake application so that it appeared to come from OpenAI. The company said it has seen no evidence that the exposed signing and notarisation material was misused, and that all notarisation events tied to the affected material were expected.
OpenAI’s response has been designed to close that window quickly while avoiding a disorderly shutdown for users. It said older versions of its Mac desktop applications will stop receiving updates or support from May 8, 2026 and may no longer function. The earliest versions signed with the new certificate are ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex CLI 0.119.0 and Atlas 1.2026.84.2. OpenAI also said it has worked with Apple so that software signed with the previous certificate cannot be newly notarised, a step intended to make it harder for any fraudulent build to pass through standard Mac security checks.
The wider incident gives the disclosure more weight than a routine software advisory. Security researchers at Google and Microsoft said compromised Axios packages were part of a broader software supply-chain attack linked to a North Korea-aligned threat actor. Google’s threat team said malicious Axios releases 1.14.1 and 0.30.4 briefly introduced a dependency that deployed a backdoor across Windows, macOS and Linux. Microsoft separately said the tainted packages connected to malicious command-and-control infrastructure and could install a remote-access trojan, underscoring how a trusted open-source component can become a distribution channel for malware when a maintainer account is hijacked.
The Axios maintainers’ own post-mortem adds detail to the chronology. Jason Saayman, one of the project’s maintainers, said two malicious versions were published through his compromised account and remained live for about three hours before removal. He said the attack followed a targeted social-engineering campaign that led to a remote-access infection on the maintainer’s machine, giving the attacker access to the npm account used to publish packages. That short exposure window did not erase the seriousness of the event, because widely used software components can spread quickly through automated installs and build systems across the industry.
For OpenAI, the episode is also a reminder that fast-growing artificial intelligence companies face old-fashioned cyber risks alongside the newer concerns around models, data and misuse. The company said the root cause on its side was a misconfiguration in the GitHub Actions workflow: an action used a floating tag rather than a specific commit hash and did not enforce a minimum release age for new packages. Those details point to a broader lesson running across the software sector, where security teams are pushing developers to pin dependencies more tightly, review build pipelines more rigorously and assume that even trusted external components can turn hostile without warning.
