OpenAI Rotates Mac App Certs After Supply Chain Hit Via Axios

A compromised version of Axios — the ubiquitous JavaScript HTTP library — briefly ran inside OpenAI's macOS app-signing pipeline on March 31, 2026. The malicious payload had access to the certificate OpenAI uses to prove its Mac apps are legitimate. OpenAI says the cert was probably not stolen, but is revoking and rotating it anyway. The deadline to update: May 8, 2026.

What happened

On March 31, a GitHub Actions workflow that handles macOS code signing pulled in Axios version 1.14.1 — a poisoned release pushed as part of a broader software supply chain attack that hit multiple companies. That workflow had access to OpenAI's Apple signing certificate and notarization material, used to authenticate ChatGPT Desktop, Codex, Codex CLI, and Atlas. OpenAI's post-mortem, conducted with a third-party forensics firm, concluded the cert was likely not exfiltrated due to timing and job sequencing — but they're treating it as burned regardless. No user data, internal systems, or source code were accessed.

Why it matters

Supply chain attacks through dev tooling are increasingly the path of least resistance into high-value targets. Axios is downloaded hundreds of millions of times per week — a single malicious version in a CI pipeline can touch dozens of companies before anyone notices. The fact that OpenAI's signing infrastructure was in scope, even briefly, is the kind of near-miss that warrants the full certificate rotation and third-party forensics response they're running here. Apple is also being looped in to block new notarizations under the old cert.

What to watch

macOS users running ChatGPT Desktop, Codex, Codex CLI, or Atlas need to update to the new certificate-signed builds before May 8 — after that, older versions lose update support and may break entirely. Minimum versions are ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex CLI 0.119.0, and Atlas 1.2026.84.2. Updates are available in-app or via OpenAI's official download links. The broader Axios incident is still unfolding across the industry, so expect more companies to surface similar disclosures.