Krux
May 16, 2026
OpenAI Rotates Signing Certificates After npm Supply Chain Breach
Published: May 16, 2026 at 12:13 AM
Updated: May 16, 2026 at 12:13 AM
100-word summary
Two OpenAI engineers installed a compromised npm package on May 11, exposing code-signing certificates buried in internal repositories. No customer data or production systems were touched, but the certificates that verify OpenAI's desktop apps as legitimate software had to be rotated anyway. Mac users now have until June 12 to update their apps before the old certificates are revoked and macOS blocks them from launching. Windows and iOS users don't need to do anything. The real story: attackers are hunting developers, not end users. Compromise one popular open-source library and you can reach thousands of engineering machines at once, each a potential gateway to signing keys and credentials.
What happened
Two OpenAI engineers installed a compromised npm package on May 11, exposing code-signing certificates buried in internal repositories. No customer data or production systems were touched, but the certificates that verify OpenAI's desktop apps as legitimate software had to be rotated anyway. Mac users now have until June 12 to update their apps before the old certificates are revoked and macOS blocks them from launching. Windows and iOS users don't need to do anything. The real story: attackers are hunting developers, not end users.
Why it matters
Compromise one popular open-source library and you can reach thousands of engineering machines at once, each a potential gateway to signing keys and credentials.