OpenAI rotates macOS app certificates after Axios signing workflow risk

• OpenAI said a malicious Axios package touched a GitHub Actions workflow used in its macOS signing pipeline, but the company found no evidence that user data, systems, IP, or shipped software were compromised.
• In OpenAI's incident writeup, the company says the workflow downloaded axios@1.14.1, one of the same poisoned releases that Microsoft's threat-intel post tied to a broader supply-chain attack.
• According to OpenAI's FAQ post, OpenAI is revoking and rotating the macOS signing certificate used for ChatGPT Desktop, Codex App, Codex CLI, and Atlas.
• OpenAI's main thread says all macOS users need updated builds, and OpenAI's FAQ sets May 8, 2026 as the cutoff when older versions may stop working and lose support.

You can read OpenAI's full incident note, cross-check the broader npm compromise in Microsoft's writeup, and see that one affected product, Codex CLI, is a local coding agent OpenAI ships for macOS and Linux. The weirdly specific detail is in OpenAI's FAQ: it does not claim the cert was stolen, it says the job timing and certificate injection sequence likely prevented exfiltration, but it is rotating anyway.

OpenAI says the compromised component was not an app binary or a production system. It was a GitHub Actions workflow in the macOS app-signing process that downloaded and executed axios@1.14.1, the malicious release named in the company's technical writeup.

That workflow had access to signing certificate and notarization material for ChatGPT Desktop, Codex, Codex CLI, and Atlas. In Microsoft's analysis, the Axios compromise also delivered second-stage payloads across macOS, Windows, and Linux, which helps explain why OpenAI treated a likely non-exfiltration as a full certificate incident.

OpenAI says it has already published new macOS builds signed with a new certificate. The products in scope are the same four named in the X thread and FAQ:

• ChatGPT Desktop, earliest safe version 1.2026.051
• Codex App, earliest safe version 26.406.40811
• Codex CLI, earliest safe version 0.119.0
• Atlas, earliest safe version 1.2026.84.2

The list matters because OpenAI defines those as the earliest releases signed with the updated certificate, not merely the latest app versions. For Codex CLI, that hits a developer-facing tool that OpenAI describes on its official docs page as a local terminal coding agent.

The May 8 deadline is about revocation timing, not just a routine forced update. In the FAQ, OpenAI says Apple has already blocked new notarizations with the old certificate, and the company reviewed prior notarization events to confirm there was no unexpected use of those keys.

OpenAI also says it found no evidence of risk to existing installations. But once the old certificate is fully revoked on May 8, new downloads and first launches of apps signed with the previous certificate may be blocked by macOS security protections, and older builds will no longer receive support or updates.

OpenAI's most concrete root-cause detail is buried near the end of the incident note. The signing workflow used a floating tag instead of pinning to a specific commit hash, and it also lacked a configured minimumReleaseAge for new packages.

That is a very CI-shaped failure mode. The compromised Axios package only needed to land in the dependency path of the signing job once for OpenAI to treat every macOS signing material touched by that job as suspect.