Overview
- OpenAI will require macOS users to update ChatGPT Desktop and other apps by June 12 because older builds were signed with exposed certificates that Apple’s checks will no longer trust.
- The breach affected two employee devices and led to credential theft from a small set of internal code repositories, with no evidence that user data, production systems, or published software were accessed or altered.
- OpenAI isolated affected assets, revoked sessions, rotated credentials and code‑signing certificates, re‑signed apps, and brought in an outside digital forensics team to verify the cleanup.
- The exposure traces to the Mini Shai‑Hulud campaign that hijacked TanStack releases, where attackers pushed 84 malicious versions in minutes and used a worm to steal developer and cloud credentials and spread through CI/CD pipelines.
- Investigators say they have found no sign the exposed certificates were used to sign malware, and OpenAI advises Mac users to install updates from official channels while Windows and iOS users need no special action.