OpenAI rotates macOS certs after Axios attack hit code-signing workflow
Summary
OpenAI is revoking and rotating its macOS code-signing certificates (digital credentials that verify OpenAI apps are legitimate) after a malicious Axios package was executed in one of its GitHub Actions workflows (automated tasks that run on code repositories). Although OpenAI found no evidence the certificates were actually compromised, the company is treating them as potentially exposed and requiring all macOS users to update their OpenAI apps to versions signed with new certificates by May 8, 2026, when the old certificate will be fully blocked.
Solution / Mitigation
OpenAI is revoking and rotating the code-signing certificate. The company is working with Apple to ensure no future software can be notarized (verified as legitimate) with the previous certificate. The old certificate will be fully revoked on May 8, 2026, after which attempts to launch applications signed with it will be blocked by macOS protections. OpenAI advises users to update via in-app features or official download pages and to avoid installing software from links sent via email, ads, or third-party sites.
Classification
Affected Vendors
Related Issues
Original source: https://www.bleepingcomputer.com/news/security/openai-rotates-macos-certs-after-axios-attack-hit-code-signing-workflow/
First tracked: April 13, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%