OpenAI Rotates macOS Signing Certificates After Axios Supply-Chain Incident

OpenAI said on April 10, 2026 that a compromised Axios package reached a GitHub Actions workflow used in its macOS app-signing process. The company said the issue traces back to March 31, 2026, when Axios version 1.14.1 was compromised as part of a broader software supply-chain incident. The affected workflow had access to certificate and notarization material used to sign ChatGPT Desktop, Codex App, Codex CLI, and Atlas for macOS.

OpenAI said it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that its software was altered. Even so, it is rotating the affected macOS signing certificate and asking all macOS users to update through official channels. The company said that, effective May 8, 2026, older versions of those macOS apps will no longer receive updates or support and may stop functioning.

Operational details

OpenAI listed the earliest releases signed with the updated certificate as ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex CLI 0.119.0, and Atlas 1.2026.84.2. It also said it engaged a third-party digital forensics and incident response firm, reviewed notarization events, and worked with Apple so software signed with the previous certificate cannot be newly notarized.

The disclosure is a useful case study in software supply-chain risk. OpenAI said the root cause was a GitHub Actions misconfiguration: the workflow used a floating tag instead of a pinned commit and did not set a minimum release age for new packages. That makes the incident relevant beyond OpenAI's own apps, especially for teams that rely on CI pipelines to handle signing, release, or deployment secrets.

The company also narrowed the scope of impact, saying iOS, Android, Linux, Windows, and the web versions of its software were not affected. That kind of scope control matters in incident response because it tells users which remediation steps are necessary and which are not.

Source: OpenAI