OpenAI

OpenAI Mandates macOS App Updates After Third-Party Security Breach


Executive Summary

OpenAI is responding to a security incident where a third-party developer tool (Axios) used in their macOS app-signing process was compromised. Although OpenAI found no evidence that its systems or user data were affected, it is proactively revoking its old macOS code signing certificate out of an abundance of caution. Consequently, all users of OpenAI macOS apps, including ChatGPT Desktop, must update to the latest versions before a specified deadline to ensure continued security and functionality.

Key Takeaways

* Incident: A GitHub Actions workflow used by OpenAI downloaded a malicious version of Axios, a third-party developer library, potentially exposing the certificate used to sign its macOS applications.

* Impacted Apps: The incident affects OpenAI's macOS apps, including ChatGPT Desktop, Codex App, Codex CLI, and Atlas. Web, iOS, Android, Linux, and Windows versions are not affected.

* No Data Breach: OpenAI's investigation found no evidence that user data was accessed, intellectual property was compromised, or that its software was altered.

* Action Required: All macOS users are required to update their OpenAI applications. This ensures their software is signed with the new, secure certificate.

* Deadline: Effective May 8, 2026, older versions of the macOS apps will no longer be supported, receive updates, and may cease to function.

* Root Cause: The vulnerability stemmed from a misconfigured GitHub Actions workflow, which has since been fixed.

Strategic Importance

This announcement is a proactive measure to maintain user trust and security hygiene by addressing a potential supply chain vulnerability before any malicious exploitation occurs, demonstrating a commitment to transparency.

Original article