Overview
- OpenAI will revoke its old Mac signing certificate on May 8, which means older versions of ChatGPT Desktop, Codex, Codex CLI, and Atlas will stop launching on macOS unless users update.
- The action follows a March 31 event in which a GitHub Actions job that signs Mac apps downloaded and executed a trojanized Axios 1.14.1 package.
- OpenAI says it found no evidence of user data access, altered software, or certificate theft and it adds that the impact is limited to its macOS apps, not its web, iOS, Android, Windows, or Linux products.
- The company brought in a third‑party forensics team, fixed a misconfiguration in its GitHub workflow, and worked with Apple so the revoked certificate cannot be used to notarize new apps.
- Researchers link the Axios compromise to North Korea‑linked UNC1069, noting the attackers slipped a WAVESHAPER V2 backdoor into a fake dependency called plain‑crypto‑js that spread quickly after publication.