OpenAI

OpenAI Mandates macOS App Updates After Supply Chain Security Incident


Executive Summary

OpenAI has disclosed its response to a security incident involving a compromised open-source library, TanStack npm, which affected two internal employee devices. Although the company found no evidence of compromise to user data, production systems, or intellectual property, it is rotating its code-signing certificates as a significant precaution. Consequently, all users of OpenAI's macOS applications are required to update their software by June 12, 2026, to ensure continued functionality and security.

Key Takeaways

* Incident Trigger: The security issue stemmed from a broader supply chain attack known as "Mini Shai-Hulud," which compromised the widely used `TanStack npm` library.

* Scope of Impact: Two employee devices were compromised, leading to unauthorized access and limited credential exfiltration from a small subset of internal source code repositories.

* No User Data Compromise: OpenAI's investigation confirmed that no user data was accessed, production systems were not breached, and no software was altered.

* Remediation Action: As a precaution, OpenAI is rotating all its code-signing certificates for Windows, macOS, and iOS applications.

* Mandatory Update for macOS Users: Users of OpenAI's macOS apps (ChatGPT Desktop, Codex App, Codex CLI, Atlas) must update to the latest versions.

* Deadline: The deadline for updating is June 12, 2026. After this date, older versions of the macOS apps will no longer be supported and may stop functioning.

Strategic Importance

This announcement demonstrates OpenAI's proactive security posture in addressing software supply chain threats, reinforcing user trust by transparently communicating a contained incident and mandating precautionary updates.

Original article