OpenAI has told macOS users they have until May 8, 2026 to update its desktop applications, after the company decided to revoke the Apple developer certificate used to sign ChatGPT Desktop, Codex, Codex CLI and the Atlas browser. The disclosure, published in an OpenAI blog post on April 10, follows a software supply chain attack against the popular Axios JavaScript HTTP client that briefly threaded malicious code through OpenAI's macOS build pipeline on March 31.
What happened
According to OpenAI's disclosure and reporting from The Hacker News, attackers published tampered Axios releases (versions 1.14.1 and 0.30.4) that pulled in a hidden dependency called "plain-crypto-js." That dependency dropped a cross-platform backdoor researchers have tracked as WAVESHAPER.V2, capable of running on Windows, macOS and Linux. A GitHub Actions workflow OpenAI uses to sign and notarize its Mac apps fetched and executed one of those poisoned Axios builds during a routine job.
The job had access to the Apple Developer ID certificate used to code-sign the company's desktop products. OpenAI's investigation concluded the certificate was "likely not" successfully exfiltrated, citing the timing of the malicious payload, when the certificate was injected into the job, and other mitigating factors. Even so, the company is rotating signing material and asking every user to move to a freshly signed build.
What OpenAI is saying
In its public response, OpenAI wrote that it "found no evidence that OpenAI user data was accessed, that our systems or intellectual property were compromised, or that our software was altered." The company framed the certificate revocation as a precaution rather than a confirmed breach, but said older app versions will be blocked by macOS security protections once the certificate is invalidated on May 8.
What users need to do
OpenAI has published the minimum builds users must run after the revocation:
- ChatGPT Desktop 1.2026.071 or later
- Codex App 26.406.40811 or later
- Codex CLI 0.119.0 or later
- Atlas 1.2026.84.2 or later
Apps left unpatched after the deadline will not auto-update and may simply refuse to launch, since macOS Gatekeeper will reject the revoked signature. Enterprise customers who manage OpenAI binaries through MDM tooling will need to push the new versions before the cutoff.
Why it matters
The incident is a reminder that AI vendors inherit the same open-source supply chain risk as any other software company. Axios is one of the most-downloaded packages on npm — over 70 million weekly downloads — and a single compromised maintenance release was enough to inject a remote-access trojan into the build pipeline of the largest consumer AI app on the planet. The broader attack chain — system reconnaissance and persistence from WAVESHAPER.V2, paired with cleanup routines in the dropper that delete the malicious payload after execution — is explicitly aimed at evading the kind of after-the-fact forensics OpenAI has now had to perform.
For security teams, the practical takeaway is narrower: treat the May 8 deadline as a hard inventory date for any Mac running OpenAI's desktop tooling, and verify that CI/CD pipelines that touch signing material are not pulling third-party dependencies on a floating tag.
