OpenAI Addresses Supply Chain Vulnerability: Security Update Required for macOS Users
OpenAI identifies a security risk stemming from the Axios developer tool compromise. While no user data was breached, all macOS users must update their apps by May 8, 2026, to rotate signing certificates.
OpenAI's Swift Response to Supply Chain Attack
In a detailed security disclosure, OpenAI revealed that a GitHub Actions workflow used for macOS app signing executed a malicious version of the third-party developer tool Axios (v1.14.1) on March 31, 2026. This incident was part of a broader supply chain attack affecting the global software industry.
- Impacted Tools: ChatGPT Desktop, Codex, Codex CLI, and Atlas.
- No Data Breach: Forensic analysis found no evidence that user data, intellectual property, or server systems were accessed.
- Mandatory Rotation: As a preventative measure, OpenAI is revoking the potentially exposed signing certificates.
The Shift Toward Proactive Defense
The significance of this response lies in OpenAI’s decision to mandate a complete certificate rotation within a 30-day window. While forensic evidence suggests the signing keys were not successfully exfiltrated, treating the certificate as "compromised by default" demonstrates a high-maturity security posture. By transitioning from floating tags to specific commit hashes in their CI/CD pipelines, OpenAI is reinforcing its internal supply chain against future automated package compromises. This "zero-trust" approach to developer dependencies is becoming the new standard for AI organizations handling sensitive user workflows.
Important: Effective May 8, 2026, older builds of OpenAI macOS apps will no longer be supported or functional. Users are urged to update via official channels only.
Source: OpenAI Incident Response