What Happened: Tanstack Malware and the OpenAI Mac App Security Incident
OpenAI has disclosed a software supply chain attack that affects its Mac apps, including ChatGPT Desktop, Codex, Codex CLI, and Atlas. The incident began when two employee devices installed malicious versions of Tanstack npm packages, a popular open-source library widely used in web development. Those malicious Tanstack software versions were quickly flagged by security researchers, but not before malware associated with the Mini Shai-Hulud campaign ran on the affected machines. The malware was designed to steal developer credentials such as GitHub tokens, API keys, and other internal secrets, creating a pathway into OpenAI’s internal development environment. Investigators later found unauthorized activity in a limited subset of internal source code repositories accessible from those devices. OpenAI reports no evidence that customer data, production systems, or intellectual property were accessed, and no indication that any of its apps distributed to users were altered or tampered with.
Why Apple Signing Certificates Matter and How They Were Exposed
The real security concern is not that OpenAI’s Mac applications themselves became malicious, but that attackers briefly accessed repositories containing private Apple signing certificates. These certificates are used to sign OpenAI’s macOS apps so that Apple’s Gatekeeper and notarization systems can verify that the software truly comes from a legitimate developer. If an attacker steals such signing materials, they can potentially sign their own malware to make it appear as trusted OpenAI software, helping it bypass standard security checks. OpenAI’s investigation found activity consistent with credential-focused exfiltration in a limited set of internal repositories, including those holding signing certificates for macOS, iOS, and Windows products. While OpenAI says it has found no evidence that the exposed certificates were ever used to sign malicious apps, the possibility alone is serious enough that the company is rotating those certificates as a precaution.
June 12 ChatGPT Update Deadline: What Mac Users Must Do Now
Because OpenAI has rotated its Apple signing certificates and re-signed its macOS apps, Mac users now face a hard deadline to update. Apple’s security protections will stop trusting apps signed with the older certificates after June 12, meaning outdated versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas may stop functioning or fail to receive updates. Specific impacted releases include ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. To stay protected, users should download the latest versions directly from official OpenAI channels or trusted app stores, and avoid installers linked from emails, ads, or third-party sites. OpenAI emphasizes that there is no sign of malicious updates, but applying the new versions ensures that your Mac only runs apps signed with the freshly rotated, trusted certificates.
How a Supply Chain Attack in npm Threatens Users Far Beyond Developers
The incident underscores how a supply chain attack in the npm ecosystem can ripple out to end users. Modern applications rely heavily on open-source libraries managed through package repositories such as npm. When attackers compromise widely used dependencies like Tanstack packages, they gain a stealthy route into developer machines and build systems. In this case, malware Tanstack software targeted developer credentials and internal secrets, eventually exposing OpenAI’s signing certificates. Even though OpenAI’s production systems and user data were not breached, the compromise of build-adjacent infrastructure created a credible risk that fake apps could be signed to look authentic. This is the essence of a supply chain attack in npm: by poisoning dependencies rather than final products, attackers can potentially impact software distributed across multiple platforms and organizations, magnifying the impact far beyond the original development teams.
Lessons for Enterprises: Managing Open-Source Risk and Certificate Security
For security and engineering teams, this OpenAI Mac app security incident illustrates how vulnerabilities in open-source libraries can cascade into enterprise environments. A single compromised dependency in the npm supply chain exposed developer devices, internal repositories, and sensitive signing credentials used across macOS, iOS, Windows, and Android products. Organizations should treat developer workstations as high-value targets, enforce strict controls on package installation, and monitor for unusual credential access and exfiltration. Protecting code-signing keys is equally critical; they should be tightly scoped, isolated, and rotated promptly if compromise is suspected. Regular audits of notarization histories and build pipelines can help detect abuse early. Finally, clear user-facing guidance—like OpenAI’s June 12 ChatGPT update deadline and warnings against unofficial installers—is essential to closing the loop between internal security actions and the protection of user devices in the real world.