ainewsblitz.com

Breaking

OpenAI Urges macOS App Updates After npm Supply Chain Attack

On May 13, 2026, OpenAI announced it had rotated the code-signing certificates for its macOS apps following a supply chain attack targeting npm packages of the popular open-source library TanStack. Users of ChatGPT Desktop, the Codex app, Codex CLI, and Atlas must update to the latest version by June 12, 2026. The iOS, Android, and Windows apps are not affected. (OpenAI blog)

The incident began with a compromise of TanStack's npm packages on May 11 UTC. The attack affected two employee devices within OpenAI's corporate environment, resulting in limited credential material (including items related to signing certificates) being exfiltrated from internal source code repositories. In response, OpenAI rotated the code-signing certificates for its macOS apps. If users do not update, apps signed with the old certificates may be blocked by macOS security protections after June 12, and support may end. Rather than revoking certificates immediately, OpenAI provided a grace period to avoid user confusion caused by Apple's notarization system. (OpenAI blog)

OpenAI stated clearly that it had found no evidence of access to user data, compromise of its production systems or intellectual property, or modification of its software, and said password resets or API key rotations are not necessary. It recommends updating through the apps themselves or via official download links. Examples of legacy versions to be deprecated after June 12 include ChatGPT Desktop 1.2026.118, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. (OpenAI blog)

Continue reading

The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.

$20
Read this article
$29/month
Unlimited — all 5,794 articles, the full archive, and comprehension quizzes
Save 72%
$98/year
≈ $8.17/month
Unlimited, billed once a year