OpenAI reacted after a supply‑chain breach hit the Axios library, a staple in its macOS build chain. On March 31 2026, a malicious Axios 1.14.1 slipped through a GitHub Actions workflow that had access to the signing certificate used for ChatGPT Desktop, Codex, and Atlas. No user data was exposed and no credentials were compromised globally today.

To mitigate risk, OpenAI revoked the compromised certificate and issued a new one. From May 8, older macOS apps—ChatGPT Desktop 1.2026.071, Codex 26.406.40811, Codex‑CLI 0.119.0, Atlas 1.2026.84.2—will stop receiving updates and may become unusable. Users must install the latest builds via in‑app updates or official sites to maintain compatibility and security across all devices today.

OpenAI’s investigation ruled out any data breach or unauthorized code changes. The root cause was a misconfigured GitHub Actions workflow that used a floating tag instead of a fixed commit hash and lacked a minimumReleaseAge check. The company engaged a forensic firm, rotated keys, and coordinated with Apple to block old notarizations and prevent malicious re‑signing.

Users receive a 30‑day window to update before May 8, when Apple will block any app signed with the old key. OpenAI stresses that iOS, Android, Linux, and Windows versions remain unaffected, and that passwords or API keys were not compromised. The update ensures all macOS clients run code signed by the trusted new certificate.