OpenAI said its macOS app-signing workflow downloaded a malicious version of the Axios library on March 31, then moved to revoke and rotate the certificate used to sign ChatGPT Desktop, Codex, Codex CLI and Atlas. The company said it found no evidence that user data, internal systems or intellectual property were compromised.
KEY FACTS
- Workflow A GitHub Actions job used for macOS app signing downloaded Axios 1.14.1.
- Impact OpenAI said the signing certificate will be treated as compromised and replaced.
- Deadline Older macOS app versions will stop receiving updates and support on May 8, 2026.
- Updated builds The earliest releases signed with the new certificate are already listed for four desktop products.
In a public disclosure, the company said the workflow had access to certificate and notarization material used to sign its desktop software. It said the malicious payload likely did not exfiltrate the signing certificate because of the timing of execution and how the job was sequenced.
The incident followed Google Threat Intelligence Group’s attribution of the Axios package compromise to a North Korean-linked group that pushed poisoned npm releases 1.14.1 and 0.30.4. Those versions carried a malicious dependency that deployed a backdoor on Windows, macOS and Linux systems.
OpenAI said it stopped new software notarizations using the old certificate and is working with Apple so software signed with it cannot be newly notarized. The company added that macOS security protections would block new software signed with the previous certificate by default unless a user bypasses them.
The latest signed versions are ChatGPT Desktop 1.2026.071, Codex App 26.406.40811, Codex CLI 0.119.0 and Atlas 1.2026.84.2. The company said the 30-day transition window is meant to reduce disruption and give users time to update.
WHY IT MATTERS
The case shows how a supply chain compromise in a widely used developer tool can reach production software signing processes even when no direct data theft is found. It also highlights how certificate rotation and notarization controls can limit the risk of unauthorized software being treated as legitimate.