What Happened: TanStack, Mini Shai-Hulud and OpenAI’s Mac Apps
OpenAI is warning Mac users that an urgent OpenAI Mac app update is required after a software supply chain attack hit its developer environment. The incident traces back to TanStack, a popular open-source library distributed through the npm ecosystem. An attacker pushed 84 malicious versions across 42 TanStack npm packages, which were quickly flagged and removed but still managed to infect two OpenAI employee devices. The malware, associated with the Mini Shai-Hulud campaign, ran during npm install and was designed to steal developer credentials such as GitHub tokens, API keys and internal secrets. OpenAI’s investigation found unauthorized access in a limited set of internal source code repositories tied to those compromised devices. Critically, those repositories included Apple signing certificates used for macOS apps like ChatGPT Desktop, Codex, Codex CLI and Atlas, prompting a coordinated security response and a hard deadline for users to update.
Why Supply Chain Attacks in npm Are So Dangerous
This incident highlights how a supply chain attack in npm can silently undermine Mac software security. Instead of attacking OpenAI’s applications directly, the threat actors compromised a widely used dependency—TanStack packages—embedded in many development workflows. Because these libraries are trusted and automatically pulled in by tools, malicious changes can spread quickly before anyone notices. In this case, the malicious npm packages executed during installation, exfiltrating credentials and opening a path into OpenAI’s internal systems. Modern applications depend on vast networks of third-party code and automated pipelines, so a single poisoned package can affect multiple products and organizations at once. That makes detection harder and shifts the frontline from user devices to developer environments and build systems. Even though OpenAI reports no evidence of altered software or accessed user data, the exposure of signing material shows how severe a dependency-level compromise can become.
How Apple Signing Certificates Protect Mac Users
Apple signing certificates are a core part of how macOS decides which apps to trust. When OpenAI signs ChatGPT or Codex with its Apple signing certificate, macOS Gatekeeper and notarization systems can verify that the software truly comes from OpenAI and hasn’t been tampered with. This code-signing verification is a critical defense layer: it helps block unknown apps, prevents invisible modification of trusted software and reduces the risk of users running disguised malware. The practical ChatGPT security threat here is not that OpenAI’s existing Mac apps suddenly became malicious. Instead, stolen signing certificates could let attackers sign their own malware so it appears to be a legitimate OpenAI app, increasing the chances users or even macOS would accept it. To counter this, OpenAI is rotating its certificates and working with Apple so older credentials can no longer be used to notarize or distribute software.
The June 12 Deadline: Which Mac Apps Must Be Updated
Because the exposed Apple signing certificate affects trust in older binaries, OpenAI and Apple are enforcing a clear cutoff date. Mac users must install the new OpenAI Mac app update for all affected apps before June 12. After that date, macOS security protections will stop trusting apps signed with the previous certificates, and older versions may be blocked, fail to launch or stop receiving updates. Affected releases include ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0 and Atlas 1.2026.119.1. OpenAI has re-signed these apps with fresh certificates and is urging users to download updates only from official channels, such as the official website or trusted app stores. Windows and iOS users do not need to take action for now, as OpenAI has already rotated credentials in those environments without requiring user-side updates.
Practical Security Steps for Mac Users Right Now
To stay protected, Mac users should update all OpenAI desktop apps—ChatGPT, Codex, Codex CLI and Atlas—before June 12, ensuring they’re running the latest certificate-signed versions. Download installers only from OpenAI’s official site or trusted stores, not from links in emails, ads, chats or file-sharing services. Be especially wary of unsolicited “OpenAI,” “ChatGPT” or “Codex” installers, as attackers may try to exploit confusion by distributing fake apps that mimic legitimate branding. Keep macOS Gatekeeper enabled and avoid disabling security prompts that warn about unidentified developers. Developers who installed affected TanStack npm packages on May 11 should treat their machines as potentially compromised, rotate credentials such as GitHub tokens and API keys and review logs for suspicious access. While OpenAI and investigators report no evidence of user data compromise, proactive patching and cautious download habits remain the best defense against future supply chain attacks.