OpenAI Urges macOS App Updates After npm Supply Chain Attack

On May 13, 2026, OpenAI announced it had rotated the code-signing certificates for its macOS apps following a supply chain attack targeting npm packages of the popular open-source library TanStack. Users of ChatGPT Desktop, the Codex app, Codex CLI, and Atlas must update to the latest version by June 12, 2026. The iOS, Android, and Windows apps are not affected. (OpenAI blog)

The incident began with a compromise of TanStack's npm packages on May 11 UTC. The attack affected two employee devices within OpenAI's corporate environment, resulting in limited credential material (including items related to signing certificates) being exfiltrated from internal source code repositories. In response, OpenAI rotated the code-signing certificates for its macOS apps. If users do not update, apps signed with the old certificates may be blocked by macOS security protections after June 12, and support may end. Rather than revoking certificates immediately, OpenAI provided a grace period to avoid user confusion caused by Apple's notarization system. (OpenAI blog)

OpenAI stated clearly that it had found no evidence of access to user data, compromise of its production systems or intellectual property, or modification of its software, and said password resets or API key rotations are not necessary. It recommends updating through the apps themselves or via official download links. Examples of legacy versions to be deprecated after June 12 include ChatGPT Desktop 1.2026.118, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. (OpenAI blog)

This is the second incident of its kind for OpenAI. In April 2026, the company similarly rotated macOS app certificates after a compromise of another developer tool, Axios (attributed to a North Korea-linked threat actor), and asked users to update by May 8. (OpenAI Axios page) OpenAI had strengthened its CI/CD pipeline after the Axios incident (including a minimumReleaseAge setting), but the two affected devices had not had that configuration applied.

The latest attack, dubbed "Mini Shai-Hulud," is attributed to a group called TeamPCP. It chained GitHub Actions vulnerabilities (abuse of pull_request_target, cache poisoning, and OIDC token extraction) to publish 84 malicious npm packages in a short window. TanStack is a popular library for React, Vue, and Solid; @tanstack/react-router alone exceeds 12 million weekly downloads. The malware steals credentials and is self-propagating, and Mistral AI and UiPath are reported to have been affected around the same time. (Snyk analysis)(The Record) The case illustrates a risk that affects the entire open-source ecosystem, not just a single company.

On X, the conversation has centered on reposts and summaries of the official email and blog, with security accounts such as @DailyDarkWeb and @IntCyberDigest sharing details to strong engagement (one @IntCyberDigest post drew over 2,100 likes). Many posts emphasize the seriousness of the supply chain attack, the threat posed by TeamPCP, and the need to update on macOS, with some noting that rotating certificates even over limited credentials suggests attackers may have been close to creating signed malicious apps. (@IntCyberDigest) Developers and users have renewed concerns about open-source dependency risk and pointed to feature gaps with Windows/Linux, while Grok itself confirmed the notice as a "genuine notice" in one exchange. Reports of post-update behavior from real users remain sparse, with last-minute reminders dominating ahead of the deadline. (@grok) Security outlets including The Record and PCMag have also reported in detail, covering similarities to the Axios incident and TeamPCP's involvement. (PCMag)