What Happened: A Supply Chain Attack Hits OpenAI’s Mac Ecosystem
OpenAI has disclosed a supply chain attack that affects its macOS apps, including ChatGPT, Codex, Codex CLI, and Atlas. The incident traces back to malicious versions of TanStack npm packages, part of a widely used open-source library ecosystem for developers. Malware tied to the “Mini Shai-Hulud” campaign infected two employee devices after the compromised packages were installed, giving attackers a foothold inside OpenAI’s corporate environment. From there, the attackers accessed a limited set of internal source code repositories. These repositories contained private signing certificates used to prove that OpenAI apps are legitimate, trusted software. OpenAI says it found no evidence that user data, production systems, intellectual property, or released software were altered. Still, the exposure of critical signing materials means every Mac user running OpenAI desktop apps now faces a strict security deadline to update.
Why Exposed Mac App Signing Certificates Are a Serious Security Risk
The core issue is not that OpenAI’s existing apps suddenly turned malicious; instead, the danger lies in what attackers could do with stolen Mac app signing certificates. On macOS, systems like Gatekeeper and Apple’s notarization process rely on these certificates to confirm that an app truly comes from a trusted developer. If attackers possess those credentials, they could sign their own malware so it appears to be a genuine OpenAI app, potentially bypassing built-in macOS defenses. OpenAI and external forensics experts found no evidence that the certificates were used to sign malicious software or that fake apps have been distributed so far. Even so, the potential for abuse is significant enough that OpenAI is rotating its certificates and re-signing apps. This ChatGPT Mac security update is therefore a preventative measure to close off future misuse of exposed credentials.
Mandatory Deadline: Update ChatGPT, Codex, and Atlas on Mac Before June 12
Because OpenAI’s previous Mac app signing certificates were exposed, Apple’s macOS protections will stop trusting apps signed with those credentials after June 12. That makes updating mandatory for anyone using OpenAI’s desktop tools on Mac. The affected releases include ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. After the deadline, older versions may be blocked by Gatekeeper, cease functioning correctly, or stop receiving updates. To prevent disruption and reduce security risk, OpenAI has re-signed its apps with new certificates and is urging users to move quickly. Importantly, OpenAI reports no evidence that customer data or production systems were accessed in this software security breach, but rotating certificates is a necessary step to restore strong trust in the Mac app ecosystem and protect users from possible impersonation attacks.
How to Safely Update Your OpenAI Mac Apps Step by Step
To protect yourself from any fallout of the supply chain attack OpenAI experienced, update directly from official sources. First, open each OpenAI Mac app you use—such as ChatGPT Desktop, Codex App, or Atlas—and check for a built-in update option in the menu (often under “ChatGPT” or “Help” > “Check for Updates”). If an update is available, install it and follow any on-screen prompts, then restart the app. If you installed via a direct download, revisit OpenAI’s official website or trusted app distribution pages, download the latest version, and overwrite your existing installation. Avoid searching for installers through ads or third-party download sites. OpenAI explicitly warns against installing apps from links in emails, texts, chat messages, or file-sharing links that claim to be “OpenAI,” “ChatGPT,” or “Codex.” Updating from official channels ensures you get properly signed, notarized apps using the new, secure certificates.
Lessons from the TanStack Incident: Supply Chain Attacks Are Escalating
This incident highlights how modern software development can magnify the impact of a single compromise. The attack began when an adversary published 84 malicious versions across 42 TanStack npm packages, some of which receive millions of weekly downloads. Security researchers spotted the issue within about 20 minutes, and the bad versions were pulled, but any developer who ran npm install during that window had to treat their machine as potentially compromised. In OpenAI’s case, malware on two developer devices exfiltrated GitHub tokens, API keys, and other credentials, eventually reaching internal repositories that held Mac app signing certificates. This supply chain attack on OpenAI illustrates how attackers increasingly target development tools and libraries rather than end users directly. For organizations and individuals alike, it underscores the importance of rapid patching, diligent dependency management, and strict verification of software sources.