OpenAI Rotates macOS Certificates, Urges App Updates

Per an OpenAI blog post dated April 10, 2026, OpenAI disclosed a software supply-chain incident in which a GitHub Actions workflow used in its macOS app-signing process downloaded and executed a malicious third-party package on March 31, 2026. OpenAI wrote, "we found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered." The company identified impacted macOS applications as ChatGPT Desktop, Codex App, Codex CLI, and Atlas, and listed earliest releases signed with the rotated certificate (OpenAI). OpenAI said the workflow had access to a certificate and notarization material used for signing macOS applications and, out of an abundance of caution, rotated those certificates (OpenAI).

Per OpenAI's disclosure, the workflow executed a malicious version of the third-party developer tool Axios (OpenAI). Other coverage attributed the incident to malicious packages published in the TanStack/npm ecosystem and reported that two employee devices installed malicious TanStack packages, with subsequent limited unauthorized access observed in internal source-code repositories holding signing material (PCMag; AppleInsider). Forbes and security reporting cited a GitHub account compromise and short-lived malicious Axios versions that were removed within hours (Forbes).

OpenAI reported that its analysis concluded the signing certificate present in the job was "likely not successfully exfiltrated" but that the company would treat the certificate as compromised and revoke and rotate it as a precaution (OpenAI). PCMag reported that investigators detected activity consistent with credential-focused exfiltration in a limited subset of internal repositories to which the impacted employees had access (PCMag). OpenAI provided a list of affected release builds it identified as signed with the updated certificate (OpenAI).

Editorial analysis: Supply-chain compromises in package ecosystems like npm continue to be an effective avenue for attackers to reach build and signing tooling. Companies that discover potential exposure of signing material commonly rotate certificates and push mandatory updates to limit the window in which an attacker could misuse signing keys. For practitioners, the incident reinforces the importance of restricting CI/CD job access, auditing artifact notarization paths, and monitoring for unexpected package changes in dependency trees.

Editorial analysis: This incident is notable because code-signing material can enable an attacker to distribute binaries that bypass OS-level trust checks such as Apple's Gatekeeper. AppleInsider reports that Apple's protections will stop trusting apps signed with the older certificates after June 12, 2026, which creates a hard deadline for macOS clients to move to re-signed binaries (AppleInsider). The operational impact is concentrated on desktop macOS users of the affected OpenAI apps; OpenAI and multiple security outlets emphasize there is no reported evidence of customer data exfiltration (OpenAI; Forbes; PCMag).

Observers will track whether post-rotation notarization and revocation logs show any anomalous signing activity, and whether downstream projects that pull affected npm packages publish indicators of compromise. Reporting differences between sources on which npm packages were used in the malicious workflow (Axios in OpenAI's post versus TanStack reporting in other outlets) mean forensic reconciliations and supply-chain timelines remain relevant. Security teams should watch for follow-up technical writeups from OpenAI, and for any third-party advisories from package maintainers or GitHub about account compromises or malicious package uploads.