OpenAI rotates macOS signing certificates after Axios supply-chain compromise

What OpenAI disclosed

On April 10, 2026, OpenAI published a security note explaining that a compromised third-party developer library, Axios 1.14.1, was downloaded and executed inside a GitHub Actions workflow used in its macOS app-signing pipeline. OpenAI said the issue was part of a broader industry supply-chain incident first identified on March 31, 2026 (UTC). According to the company, the affected workflow had access to the certificate and notarization material used to sign ChatGPT Desktop, Codex App, Codex CLI, and Atlas.

The important negative statement is just as significant as the exposure itself. OpenAI said it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that published software was altered. It also said it has not seen malware signed as OpenAI. But because the workflow touched material that establishes whether a macOS app is really from OpenAI, the company is treating the certificate as effectively compromised anyway and rotating it.

What Mac users need to do

OpenAI says all macOS users should update through in-app updates or official download pages only. The company published fresh builds of all affected macOS products and says May 8, 2026 is the cutoff date after which older builds signed with the previous certificate will no longer receive updates or support and may stop functioning. The earliest versions signed with the replacement certificate are listed as follows:

• ChatGPT Desktop: 1.2026.051
• Codex App: 26.406.40811
• Codex CLI: 0.119.0
• Atlas: 1.2026.84.2

OpenAI also said the issue is limited to its macOS apps. It does not affect iOS, Android, Linux, Windows, or the web versions of its products. The company is working with Apple to block new notarization attempts with the old certificate and says macOS should reject any newly signed fraudulent app using that certificate unless a user explicitly bypasses platform protections.

Why this is a high-signal software supply-chain update

The deeper significance is operational, not only user-facing. OpenAI identified the root cause as a GitHub Actions misconfiguration: the workflow referenced a floating tag instead of a specific commit hash and did not enforce a minimumReleaseAge for newly published packages. That is a concrete reminder that modern AI products are secured not just at model and API layers, but across CI/CD, notarization, dependency pinning, and release-signing infrastructure.

An inference from OpenAI’s response is that the company is optimizing for trust in its developer and desktop distribution chain before there is any sign of actual user harm. If the value of a certificate is that users can trust “this installer really came from the vendor,” then even a low-probability exposure forces a response. The story is therefore bigger than one compromised package: it shows how AI vendors are being pushed to treat build pipelines as part of their core security boundary, especially once agentic products like Codex and Atlas are shipped as installable software rather than only as web services.

Sources: OpenAI X post · OpenAI security note