OpenAI has announced that all macOS users are required to update their desktop applications due to a security incident involving Axios, a commonly used third-party developer library.
The security breach occurred as part of a broader software supply chain attack reported on March 31, 2026. OpenAI’s macOS app-signing process was compromised when a malicious version of Axios was downloaded and executed through a GitHub Actions workflow. This workflow had access to certificates used for signing macOS applications such as ChatGPT Desktop, Codex, Codex-cli, and Atlas.
Although OpenAI’s analysis suggests that the signing certificate was likely not successfully stolen by the malicious payload, the company is taking precautionary measures by treating the certificate as compromised, revoking it, and rotating it.
OpenAI has confirmed that there is no evidence of unauthorized access to user data, compromise of systems or intellectual property, or alteration of software. There have been no instances of malware signed as OpenAI, and neither passwords nor API keys have been affected.
Starting May 8, 2026, older versions of the macOS apps will cease to receive updates or support and may become non-functional. Users are urged to update their applications via in-app prompts or the official OpenAI download pages.
The underlying cause of the incident was a workflow misconfiguration related to a floating tag and the absence of a minimum release age for new packages. OpenAI has since rectified this issue. It is important to note that this security breach only impacts macOS versions and does not affect iOS, Android, Linux, Windows, or web versions.
