What Happened: TanStack, Mini Shai-Hulud, and OpenAI’s Mac Apps
OpenAI has confirmed a software supply chain attack that directly impacts its macOS users. The incident began when malicious versions of TanStack npm packages, linked to the Mini Shai-Hulud campaign, were published and briefly available for download. Two OpenAI employee devices in a corporate environment installed the compromised packages, allowing malware to run during the npm install process and steal developer credentials. Investigators found unauthorized activity in a limited subset of internal source code repositories tied to those employees. Critically, these repositories contained code-signing certificates used for OpenAI products, including ChatGPT Desktop, Codex App, Codex CLI, and Atlas on macOS, as well as other platforms. OpenAI reports no evidence that customer data, production systems, intellectual property, or the apps themselves were altered. However, because signing materials may have been exposed, the company is rotating certificates and requiring Mac users to update.
Why This Matters: macOS Signing Certificates and ChatGPT Security Threats
The most serious risk from this incident is not that current OpenAI apps are infected, but that stolen signing certificates could be abused. On macOS, Gatekeeper and Apple’s notarization systems rely on code-signing certificates to verify that an app truly comes from a legitimate developer. If attackers obtain those certificates, they can sign their own malicious software so it appears to be a genuine OpenAI app, potentially bypassing built-in malware protection. OpenAI’s investigation found no evidence that the exposed certificates have been used to sign malware or distribute fake ChatGPT, Codex, or Atlas apps so far. Still, the theoretical ChatGPT security threat is significant enough that OpenAI and Apple are taking preventive action. Apple will stop trusting apps signed with the old macOS signing certificate after a set deadline, forcing a coordinated OpenAI Mac app update for existing users.
Mandatory Updates: Deadlines and Affected OpenAI Mac Apps
Mac users running OpenAI desktop apps must update before Apple’s security deadline, after which older builds may be blocked. OpenAI has re-signed its macOS applications with new certificates so they remain trusted by macOS security systems. Older versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas that still use the previous certificates may stop functioning correctly or fail to receive future updates once Apple’s protections stop trusting the old signatures. OpenAI specifically identified ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1 as affected releases. macOS users must move to the latest versions signed with the rotated certificates to avoid disruption. While Windows and iOS users do not need to take action right now, the OpenAI Mac app update is effectively mandatory. Failing to update means risking app breakage and potentially missing further security improvements.
Step-by-Step: How to Safely Update ChatGPT, Codex, and Atlas on macOS
To protect yourself, update directly from trusted channels and avoid any suspicious installers. First, open each OpenAI app on your Mac—ChatGPT Desktop, Codex App, and Atlas—and check for a built-in update option in the app menu or settings. If an update is available, install it immediately and restart the app so the new macOS signing certificate takes effect. If you downloaded these apps from OpenAI’s website, return only to the official site to grab the latest version, then drag the new app into your Applications folder, replacing the old copy. Do not install apps from links in emails, messages, ads, file-sharing links, or third-party download sites, even if they claim to be from OpenAI or reference ChatGPT security threats. For Codex CLI, developers should reinstall the tool from the official OpenAI distribution channel and ensure no untrusted npm packages remain in their development environment.
The Bigger Picture: Supply Chain Attacks and Developer Tool Risks
This incident highlights how modern supply chain attacks increasingly target developer tools and dependencies rather than end users directly. The TanStack npm compromise shows how a widely used library can become a delivery mechanism for malware that steals GitHub tokens, API keys, and internal secrets from developers. Once inside a corporate environment, attackers can pivot to sensitive systems such as source code repositories and macOS signing certificate stores, even without touching production infrastructure. For users, this underscores the importance of staying current with security updates, even when an app appears to function normally. For developers, it’s a reminder to treat build systems and package managers as high-value targets, enforce strict dependency controls, and monitor for suspicious package versions. Supply chain attacks are becoming harder to contain, and timely OpenAI Mac app updates are one crucial layer of malware protection in a broader defensive strategy.