OpenAI rotates Mac certificates after Axios compromise

OpenAI is asking Mac users to update ChatGPT Desktop, Codex App, Codex CLI and Atlas after a compromised Axios package hit a GitHub Actions workflow used in the company’s app-signing pipeline.

What happened

According to OpenAI, a malicious Axios 1.14.1 package was executed on March 31 as part of a broader supply chain incident. The affected workflow had access to certificate and notarization material used to sign OpenAI’s macOS apps.

What OpenAI says now

The company says it found no evidence that user data, internal systems, intellectual property or shipped software were compromised. Even so, OpenAI is rotating the signing certificate and requiring macOS users to move to newer app versions. Older versions will lose support, and may stop working, from May 8, 2026.

OpenAI also says iOS, Android, Linux, Windows and web products are not affected, and that users do not need to change passwords or API keys.

Why this matters

The incident is a reminder that the AI software supply chain is still fragile. Even without signs of a direct data breach, an attack touching app signing can force fast defensive moves to prevent fake apps and protect trust in software distribution.

Source and date validation

The original source is OpenAI’s own post, "Our response to the Axios developer tool compromise," published on April 10, 2026. The story is therefore within the 48-hour window and qualifies as a valid fresh news item.