OpenAI flags third-party data issue — all macOS users should update now

News
By published

OpenAI rotated certificates out of an abundance of caution

The OpenAI logo displayed on a screen with the flag of the United States in the background.
(Image credit: Shutterstock)
  • OpenAI rotated macOS code‑signing certificate after Axios supply chain breach
  • Malicious Axios 1.14.1 pulled into app‑signing workflow
  • No evidence of data theft, but older app versions deprecated

OpenAI recently rotated its macOS code signing certificate and pushed new versions of macOS products as a proactive measure against potential malware attacks.

When an app is signed with a valid developer certificate (like OpenAI’s), the system assumes the developer is verified, the app hasn’t been tampered with, and that it’s safe to run. Having malware signed with one of these certificates almost guarantees it will bypass protections and will be allowed to run on the endpoint.

In an update published late last week, the popular AI company said it observed a breach at Axios, a third-party developer tool it uses, in late March this year. Axios is a JavaScript library used to send HTTP requests (it allows apps to talk to servers). It was compromised, and a malicious version - 1.14.1 - was pushed.

Article continues below

The attack was apparently part of a broader software supply chain attack, it was said. At the time, OpenAI used a GitHub Actions workflow in the macOS app-signing process, which downloaded and executed that malicious version.

User data is safe

“This workflow had access to a certificate and notarization material used for signing macOS applications, including ChatGPT Desktop, Codex, Codex-cli, and Atlas,” OpenAI explained.

While the company’s incident analysis determined that the signing certificate was “likely not successfully exfiltrated”, it still treated it as compromised and decided for a rotation.

“Effective May 8, 2026, older versions of our macOS desktop apps will no longer receive updates or support, and may not be functional,” OpenAI warned. “These versions represent the earliest releases signed with our updated certificate:

ChatGPT Desktop: 1.2026.051

Codex App: 26.406.40811

Codex CLI: 0.119.0

Atlas: 1.2026.84.2”

In the same report, the company stated that there is no evidence user data was accessed, intellectual property was compromised, or that the software itself was altered in any way.

Via Reuters

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.