OpenAI is rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a malicious Axios package during a recent supply chain attack.
The company said that on March 31, 2026, the legitimate workflow downloaded and executed a compromised Axios package (version 1.14.1) that was used in attacks to deploy malware on devices.
That workflow had access to code-signing certificates used to sign OpenAI’s macOS apps, including ChatGPT Desktop, Codex, Codex CLI, and Atlas.
While OpenAI says its investigation found no evidence that the signing certificate was compromised, the company is treating it as potentially compromised out of caution and is now revoking and rotating it.
“Out of an abundance of caution we are taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps. We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered,” explains an OpenAI security advisory.
“We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions.”
macOS users will need to update their apps to versions signed with the new certificate, as older versions may stop working on May 8, 2026.
OpenAI worked with a third-party incident response firm to conduct an investigation, which found no evidence that the incident exposed its certificates or that they were used to distribute malicious software. The company also analyzed previous notarization activity linked to the certificate and confirmed that everything signed with it was legitimate.
However, if the attacker obtained the certificate, they could use it to sign their own macOS applications that appear to be legitimately signed by OpenAI.
Therefore, to reduce the risk, OpenAI says it is working with Apple to ensure no future software can be notarized with the previous certificate.
OpenAI says that the certificate will be fully revoked on May 8, after which attempts to launch applications signed with it will be blocked by macOS protections.
OpenAI says the issue is limited to its macOS applications and does not affect its web services or apps on iOS, Android, Windows, or Linux. It also says user accounts, passwords, and API keys were not impacted.
Users are advised to update via in-app features or the official download pages, and to avoid installing software from links sent via email, ads, or third-party sites.
The company says it will continue monitoring for any signs that the old certificate is being misused and may speed up the revocation timeline if anything suspicious is detected.
The Axios supply chain attack has been linked to North Korean threat actors tracked as UNC1069, who conducted a social engineering campaign against one of the project’s maintainers.
After conducting a fake web conference call that led to the installation of malware, the threat actors gained access to the maintainer’s account and published malicious versions of the Axios package to npm.
This malicious package included a dependency that installed a remote access trojan (RAT) on macOS, Windows, and Linux systems.
According to researchers, the attackers approached developers through convincing fake collaboration setups, including Slack workspaces and Microsoft Teams calls, eventually tricking them into installing malware that led to credential theft and downstream supply chain compromises.
The activity has been linked to a larger campaign to compromise popular open-source projects for widespread supply chain attacks.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
