OpenAI Urges Immediate Update of macOS Apps After Security Issue Involving Axios

OpenAI has issued an urgent alert to users of its macOS applications, advising them to update to the latest versions immediately. This action follows the discovery of a security issue connected to a third-party developer tool, Axios. OpenAI states there is no evidence that user data was exposed or that its systems were compromised. However, the company is taking precautionary steps to prevent any potential misuse.

Key Highlights

• OpenAI urges immediate update of macOS apps after Axios-related security issue
• Malicious Axios version accessed sensitive signing certificate on March 31, 2026
• Older app versions will stop working or updating after May 8, 2026
• Affected apps include ChatGPT Desktop, Codex, Codex CLI, and Atlas

Details of the Security Incident

The issue traces back to Axios, a widely used developer library. Axios was recently compromised in a broader supply chain attack. On March 31, 2026, a malicious version of Axios (version 1.14.1) was downloaded and executed during one of OpenAI’s automated processes for signing macOS apps. The affected system had access to a sensitive signing certificate and related files. These certificates are essential for verifying that an app is authentic and safe for users.

OpenAI’s investigation indicates that the attacker likely did not obtain the certificate, due to the setup and timing of the process. Despite this, OpenAI is treating the certificate as potentially exposed and is taking steps to mitigate any risk.

Actions Taken and User Guidance

As a precaution, OpenAI is revoking the old certificate and replacing it with a new one. This change will cause older versions of its macOS apps to stop working or receiving updates starting May 8, 2026. Users must update the following apps to the latest versions: ChatGPT Desktop, Codex, Codex CLI, and Atlas. Updating ensures the apps are signed with the new, secure certificate.

OpenAI explained, 'As part of our investigation and response, we engaged a third-party digital forensics and incident response firm, rotated our macOS code signing certificate, published new builds of all relevant macOS products with the new certificate, and are working with Apple to ensure software signed with the previous certificate cannot be newly notarised.'

Once OpenAI fully revokes the certificate on May 8, 2026, macOS security protections will block new downloads and launches of apps signed with the previous certificate. Users are strongly advised to update their apps before this date to maintain access and security.