OpenAI identified a supply chain compromise tied to the `Axios` developer library that touched a GitHub Actions workflow used to sign macOS applications. OpenAI says the malicious payload executed on March 31 likely did not exfiltrate the signing certificate, and there is no evidence of user data, API keys, or system compromise. As a precaution, OpenAI is invalidating the old signing certificate, issuing new certificates, and requiring all macOS users to update their OpenAI apps. Affected software includes ChatGPT Desktop, `Codex`, `Codex-cli`, and Atlas; older app versions will stop receiving updates and may become nonfunctional after **May 8, 2026**. Users should update from inside the app or official links; passwords and API keys do not need changing.
Visited 1 times, 1 visit(s) today
