OpenAI Rotates macOS Certificates After Axios Supply Chain Attack

OpenAI is forcing all macOS users to update their desktop applications after the company’s app-signing workflow was exposed to the Axios supply chain attack—a compromise attributed to North Korean threat actors that hit the popular JavaScript library on March 31, 2026.

The AI giant says it found no evidence that user data was accessed or that its software was tampered with. But the company isn’t taking chances: it’s treating its macOS code signing certificate as compromised and revoking it entirely on May 8, 2026.

What Actually Happened

When the compromised Axios version 1.14.1 hit npm on March 31, a GitHub Actions workflow OpenAI uses for macOS app signing downloaded and executed the malicious code. That workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas—the credentials that tell macOS “yes, this software really comes from OpenAI.”

The root cause? A misconfiguration. OpenAI’s workflow referenced Axios using a floating tag rather than a pinned commit hash, and lacked a configured minimumReleaseAge for new packages. Classic supply chain vulnerability.

OpenAI’s internal analysis suggests the signing certificate likely wasn’t successfully exfiltrated due to timing and execution sequencing. But “likely” isn’t good enough when you’re signing software that runs on millions of machines.

The Broader Attack

The Axios compromise wasn’t targeting OpenAI specifically. Security researchers, including Google’s threat intelligence team, have linked the attack to a North Korea-nexus actor—possibly Sapphire Sleet or UNC1069. The attackers compromised an npm maintainer’s account and injected a malicious dependency called ‘plain-crypto-js’ that deployed a cross-platform RAT capable of reconnaissance, persistence, and self-destruction to avoid detection.

The attack hit organizations across business services, financial services, and tech sectors globally.

What Users Need to Do

If you run any OpenAI macOS apps, update now. After May 8, older versions will stop functioning entirely. Minimum required versions:

ChatGPT Desktop: 1.2026.051Codex App: 26.406.40811Codex CLI: 0.119.0Atlas: 1.2026.84.2

Download only from official sources or via in-app updates. OpenAI explicitly warns against installing anything from emails, ads, or third-party sites—sound advice given that a malicious actor with the old certificate could theoretically sign fake apps that look legitimate.

Windows, iOS, Android, and Linux users aren’t affected. Neither are web versions. Passwords and API keys remain secure.

Why the 30-Day Window?

OpenAI could revoke the certificate immediately but chose not to. New notarization with the compromised certificate is already blocked, meaning any fraudulent app signed with it would fail macOS’s default security checks unless users manually override them.

The delay gives users time to update through normal channels rather than waking up to broken software. OpenAI says it’s monitoring for any signs of certificate misuse and will accelerate revocation if malicious activity appears.

The incident underscores how supply chain attacks continue to ripple through the software ecosystem. One compromised npm package, and suddenly OpenAI is rotating certificates across its entire macOS product line. For developers, the lesson is clear: pin your dependencies to specific commits, not floating tags.

Image source: Shutterstock