OpenAI’s response to the Axios developer tool compromise centers on a familiar supply-chain failure mode: a compromised dependency getting executed inside CI, right where sensitive release credentials live. On April 10, 2026, OpenAI said it had identified a security issue involving a third-party developer tool—Axios—after a malicious version ran inside a GitHub Actions workflow used in its macOS app-signing process. OpenAI reported no evidence that user data was accessed, internal systems or IP were compromised, or that published software was altered, but it is still rotating the credentials that matter most for macOS trust signals.
What happened: a compromised package entered the signing pipeline
OpenAI’s timeline starts on March 31, 2026 (UTC), when Axios was compromised as part of a broader software supply chain attack (with additional context linked via Google Cloud threat intelligence). OpenAI says a GitHub Actions workflow involved in signing macOS apps downloaded and executed the malicious Axios package, specifically Axios 1.14.1.
That workflow had access to certificate and notarization material used to sign OpenAI’s macOS applications, including:
- ChatGPT Desktop
- Codex App
- Codex CLI
- Atlas
Even though OpenAI’s analysis suggests the signing certificate was likely not successfully exfiltrated—citing payload timing, how certificates were injected into the job, and job sequencing—the company is treating the certificate as compromised anyway.
Remediation: certificate rotation, new builds, and a cutoff date
OpenAI says it has revoked and rotated its macOS code signing certificate and published new builds of the affected macOS products with the updated certificate. It also engaged a third-party digital forensics and incident response firm and is working with Apple so that software signed with the previous certificate cannot be newly notarized.
A key operational detail: May 8, 2026 is the date when older versions of OpenAI’s macOS desktop apps will stop receiving updates or support and may not be functional. OpenAI lists the earliest releases signed with the updated certificate as:
- ChatGPT Desktop: 1.2026.051
- Codex App: 26.406.40811
- Codex CLI: 0.119.0
- Atlas: 1.2026.84.2
OpenAI also notes that once the old certificate is fully revoked on May 8, new downloads and first-time launches of apps signed with the previous certificate will be blocked by macOS security protections.
The root cause: CI configuration details that will look familiar
OpenAI pins the root cause on a misconfiguration in the GitHub Actions workflow. Two specifics stand out for anyone maintaining release pipelines:
- The workflow used an action referenced by a floating tag rather than a specific commit hash.
- It lacked a configured minimumReleaseAge for new packages.
Those are small, easy-to-miss settings that can become high-leverage during a supply-chain incident—especially when the job has access to signing or notarization materials.
What OpenAI says is not affected
In its FAQ, OpenAI states:
- No evidence that OpenAI products or user data were compromised or exposed.
- No evidence of malware being signed as OpenAI, and notarization events with the impacted material were confirmed as expected.
- Passwords and OpenAI API keys were not affected.
- The issue affects only OpenAI macOS apps (not iOS, Android, Linux, Windows, or web apps).
For updates, OpenAI says macOS users should use in-app update mechanisms or official download pages: ChatGPT Desktop, Codex App, Codex CLI, and Atlas.
Source: https://openai.com/index/axios-developer-tool-compromise/
