OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
Summary
OpenAI discovered that a GitHub Actions workflow (automated processes that run in code repositories) used to sign its macOS apps downloaded a malicious version of the Axios library on March 31, which contained a backdoor called WAVESHAPER.V2. Although OpenAI found no evidence that user data or systems were compromised, the company is treating its signing certificate as compromised and revoking it, which will cause older versions of its macOS apps to stop receiving updates and support after May 8, 2026.
Solution / Mitigation
OpenAI is revoking and rotating the compromised certificate. Users must update to the following minimum versions by May 8, 2026, or their apps will be blocked by macOS security protections: ChatGPT Desktop 1.2026.071, Codex App 26.406.40811, Codex CLI 0.119.0, and Atlas 1.2026.84.2. OpenAI is also working with Apple to prevent any new software notarization (Apple's process for verifying legitimate apps) using the old certificate, so unauthorized code signed with it will be blocked by default by macOS security protections.
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html
First tracked: April 13, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 92%