How a Mac Supply Chain Attack Put OpenAI Apps at Risk
A recent Mac supply chain attack has placed OpenAI’s macOS apps, including ChatGPT, Codex, and Atlas, under urgent scrutiny. The incident began when attackers compromised popular Tanstack npm packages, inserting npm malware into trusted development dependencies. Two OpenAI employee devices installed these malicious versions, allowing the attackers to run credential-stealing payloads during npm install. This activity targeted developer secrets such as GitHub tokens, API keys, and internal access credentials. While OpenAI reports no evidence that customer data, production systems, or app code were altered, internal repositories storing private code-signing certificates were exposed. These certificates are what macOS uses to verify that an app is a genuine OpenAI ChatGPT build rather than password stealer malware. If abused, they could let attackers distribute trojanized apps that appear fully legitimate, bypassing standard macOS security threat checks and Gatekeeper prompts.
Why Stolen Signing Certificates Are So Dangerous for Mac Users
In a Mac supply chain attack, the danger is less about a single infected file and more about trust itself being compromised. The Tanstack npm compromise did not hijack OpenAI’s production systems, but it did expose signing certificates for OpenAI’s iOS, macOS, and Windows products inside internal source code repositories. These certificates are like digital ID cards: macOS uses them to confirm that an app is truly from OpenAI. In the wrong hands, attackers could sign malware that masquerades as an official OpenAI ChatGPT update, making password stealer malware look legitimate enough to slip past operating system safeguards. Because dependencies such as npm libraries are widely trusted and heavily reused, supply chain attacks are inherently harder to detect than direct malware distribution. This is why OpenAI is rotating certificates and requiring a fresh OpenAI ChatGPT update for Mac users, even though no malicious builds have been confirmed in the wild.
SHub Reaper: Malware That Pretends to Be Apple, Google, and Microsoft
At the same time, Mac users face a separate macOS security threat from the SHub Reaper infostealer malware. Instead of exploiting a technical vulnerability, Reaper leans on social engineering and brand impersonation. It has been observed posing as legitimate installers for popular tools like WeChat and Miro, then layering convincing prompts branded to look like Apple, Google, and Microsoft interfaces. Once executed, Reaper focuses on credential theft, harvesting passwords, browser data, cryptocurrency information, and business files. It uses Apple-branded prompts and the applescript URL scheme to trick users into entering their macOS login password, which is then reused to decrypt other stored credentials across the system. For persistence, it hides behind Google-style update paths, with a backdoor script that phones home to a command-and-control server every 60 seconds. The result is a stealthy, long-lived infostealer that thrives on users’ trust in familiar brands.
Update by June 12 and Lock Down Your Mac Accounts
If you use OpenAI’s macOS apps, you should install the latest OpenAI ChatGPT update from official channels before the June 12 deadline announced by the company. Updating ensures your apps are signed with fresh, uncompromised certificates, limiting the window in which attackers could abuse stolen signing keys. Only download installers from OpenAI’s official website or the Mac App Store, and avoid side-loaded or third-party builds. In parallel, treat any system that installed the malicious Tanstack npm packages on 2026-05-11 as potentially compromised. Rotate API keys, GitHub tokens, and cloud credentials, and enable multi-factor authentication wherever possible. For broader protection against password stealer malware like SHub Reaper, be skeptical of unexpected prompts asking for your Mac password, and verify download URLs for tools such as Miro or WeChat. Combine rapid patching, strict source validation, and hardened credentials to stay ahead of current and future Mac supply chain attacks.