OpenAI is requiring all macOS users to update their desktop applications after a security issue involving a widely used third‑party developer library called Axios, the company has announced.

The incident was part of a broader software supply chain attack reported on March 31, 2026. A GitHub Actions workflow used in OpenAI’s macOS app‑signing process downloaded and executed a malicious version of Axios. OpenAI says the workflow had access to certificates used to sign macOS applications, including ChatGPT Desktop, Codex, Codex‑cli and Atlas.

OpenAI said its analysis found that the signing certificate was “likely not successfully exfiltrated” by the malicious payload due to timing and other factors. However, out of an abundance of caution, the company says it is treating the certificate as compromised and is revoking and rotating it.

The company stated that it has found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that its software was altered. No evidence of malware signed as OpenAI has been found, and passwords and API keys were not affected.

Effective May 8, 2026, older versions of the macOS apps will no longer receive updates or support and may not function. Users are advised to update through in‑app prompts or official OpenAI download pages.

The root cause was a workflow misconfiguration involving a floating tag and a lack of a minimum release age for new packages, which OpenAI said it has addressed. The issue does not affect iOS, Android, Linux, Windows or web versions.