OpenAI Urges macOS App Updates After npm Supply Chain Attack
On May 13, 2026, OpenAI announced it had rotated the code-signing certificates for its macOS apps following a supply chain attack targeting npm packages of the popular open-source library TanStack. Users of ChatGPT Desktop, the Codex app, Codex CLI, and Atlas must update to the latest version by June 12, 2026. The iOS, Android, and Windows apps are not affected. (OpenAI blog)
The incident began with a compromise of TanStack's npm packages on May 11 UTC. The attack affected two employee devices within OpenAI's corporate environment, resulting in limited credential material (including items related to signing certificates) being exfiltrated from internal source code repositories. In response, OpenAI rotated the code-signing certificates for its macOS apps. If users do not update, apps signed with the old certificates may be blocked by macOS security protections after June 12, and support may end. Rather than revoking certificates immediately, OpenAI provided a grace period to avoid user confusion caused by Apple's notarization system. (OpenAI blog)
OpenAI stated clearly that it had found no evidence of access to user data, compromise of its production systems or intellectual property, or modification of its software, and said password resets or API key rotations are not necessary. It recommends updating through the apps themselves or via official download links. Examples of legacy versions to be deprecated after June 12 include ChatGPT Desktop 1.2026.118, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. (OpenAI blog)
Continue reading
The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.