Mac users of the ChatGPT desktop client will see a forced update appear before June 12. OpenAI discovered that two employee devices were compromised in a supply‑chain attack targeting the open‑source TanStack library. The breach prompted the company to revoke existing code‑signing certificates and block apps signed with them.

The intrusion, linked to the Mini Shai-Hulud campaign, allowed limited credential exfiltration from internal repositories accessed by the affected staff. OpenAI engaged a third‑party forensics firm, contained the threat, and confirmed no user data or broader systems were breached. Only a small subset of credentials was taken, and no other code was altered.

Because the compromised code could generate product certificates, OpenAI is revoking all prior signatures and requiring Mac users to install the new, securely signed version. No action is needed for iOS or Windows clients; users simply accept the update when prompted. This rapid response aims to preserve trust in OpenAI’s desktop ecosystem.