OpenAI Suffers Supply Chain Attack Exposing Signing Certificates, macOS Clients Forced to Update Next Month

Odaily OpenAI has confirmed that its internal environment was compromised in a supply chain attack targeting a malicious TanStack NPM package, infecting two employee devices. While user data and core code were unaffected, attackers managed to steal access credentials for some internal code repositories, including code signing certificates used for iOS, macOS, and Windows products.

To prevent hackers from exploiting the stolen certificates to publish counterfeit applications, OpenAI has initiated a defensive certificate rotation. The company announced that all macOS users of ChatGPT Desktop, Codex, and Atlas Browser must upgrade to the latest version by June 12, 2026. After this deadline, old certificates will be revoked, and the system will block both the launch of older versions and new installations.

OpenAI stated that while it had previously deployed stricter package blocking policies, the affected devices had not yet synchronized with the latest configuration, allowing the malicious component to successfully infiltrate. Currently, iOS and Windows clients are unaffected, and core data such as user account passwords and API keys have been confirmed secure.