News · OpenAI rotates its macOS signing certificate after a poisoned Axios build ran in its app-signing pipeline
OpenAI rotates its macOS signing certificate after a poisoned Axios build ran in its app-signing pipeline
A compromised JavaScript dependency reached the workflow that certifies ChatGPT Desktop, Codex, and Atlas — and the fix is a forced client update before May 8, 2026.
A frontend HTTP library ended up inside the code-signing job
Axios is one of the most widely used HTTP clients in the JavaScript ecosystem — the kind of dependency that sits quietly in the transitive tree of countless frontend and Node tooling projects. On March 31, 2026 (UTC) a malicious version, 1.14.1, was published as part of a broader supply-chain attack.
What makes OpenAI's disclosure specific is where that library was running. The compromised Axios build was pulled and executed by a GitHub Actions workflow used in OpenAI's macOS app-signing process — the same job that had access to the certificate and notarization material for ChatGPT Desktop, Codex, Codex CLI, and Atlas. A JavaScript package meant for making web requests found itself adjacent to the keys that tell macOS these apps are genuinely from OpenAI.
The uncomfortable lesson is that a signing pipeline is only as trustworthy as every package it installs at build time. The certificate is the crown jewel; the workflow around it inherited the risk surface of the entire npm dependency graph.
Two concrete misconfigurations OpenAI names
OpenAI is unusually precise about root cause. The workflow referenced the offending action by a floating tag rather than a pinned commit hash, and it had no configured minimumReleaseAge for new packages.
The action in question used a floating tag, as opposed to a specific commit hash, and did not have a configured minimumReleaseAge for new packages.Montana Labs
Both are recognizable to anyone who maintains CI. A floating tag means the workflow silently accepts whatever the maintainer — or an attacker who compromised the maintainer — repoints that tag to. A minimumReleaseAge would have imposed a quarantine window, refusing packages published too recently to have been vetted; had it been set, the March 31 malicious version might never have been consumed. These are not exotic defenses. They are the standard hardening advice for pinning and delaying dependency updates, applied here to a pipeline where the blast radius happened to be a signing certificate.
The remediation puts the cost on the client, not the server
OpenAI concluded the certificate was likely not exfiltrated, citing payload timing, certificate injection sequencing, and other mitigating factors. It found no evidence of misused notarization, no unauthorized modifications to published software, and no compromise of user data or API keys. Yet it is treating the certificate as compromised anyway and rotating it.
That decision moves the remediation to every macOS user. New builds signed with the fresh certificate ship as the earliest supported versions — ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex CLI 0.119.0, and Atlas 1.2026.84.2 — and after May 8, 2026 older versions may stop functioning entirely once the old certificate is fully revoked.
The staged approach is deliberate. OpenAI has already blocked new notarizations against the old certificate, so a forged app signed with it would fail Gatekeeper by default unless a user manually bypasses protections. The 30-day window before full revocation exists to let in-app updaters catch up, and OpenAI says it will accelerate revocation if it detects malicious activity during that window.
What a signing-pipeline compromise means for teams shipping desktop clients
The visible surface of these products is a chat window and a code editor, but the trust anchor is a certificate produced by a build job. This incident collapses the distinction between frontend dependencies and production security: a package installed to support tooling sat in the same execution context as signing material, and one poisoned release forced a certificate rotation felt by every Mac user of four separate apps.
For anyone operating similar pipelines, the actionable takeaways are the ones OpenAI names against itself — pin actions to commit hashes, impose a release-age quarantine on new packages, and treat the workflow that touches signing keys as the highest-privilege environment you run, isolated from ordinary dependency installs. The certificate rotation and forced client update were the expensive recovery; the cheap prevention was two lines of CI configuration.
Find this story relevant to you?
Contact us to find a unique solution
Need an AI engineering partner that can actually build?
We help businesses integrate AI, build AI-powered products, automate high-value workflows, and modernize the software systems behind them.
Related reading
More analysis around product delivery, operational AI, and the systems work that makes deployment hold up in reality.