Overview
- OpenAI, which disclosed the issue Friday, April 10, is forcing updates to its Mac apps with older builds set to lose support and possibly stop working after May 8.
- A malicious Axios package briefly ran on March 31 inside a GitHub Actions build workflow that could reach materials used to sign and notarize macOS apps, which tell a Mac an app is genuine.
- OpenAI says its review found no evidence of user-data access, system breaches, code changes, or stolen passwords, and it says passwords and OpenAI API keys were not affected.
- The company revoked and is replacing its Mac signing and notarization certificates and is urging users to update ChatGPT Desktop, Codex App, Codex CLI, and Atlas through in‑app updates or official links.
- Security researchers report the Axios tampering is tied to suspected North Korea–linked actors, though that attribution remains unconfirmed.