Krux
April 13, 2026
OpenAI's Mac Apps Hit by Axios Library Attack
Published: April 13, 2026 at 12:32 AM
Updated: April 13, 2026 at 12:32 AM
100-word summary
A poisoned version of the widely used Axios library slipped into OpenAI's macOS app-signing workflow on March 31, forcing the company to rotate its entire code-signing certificate. The culprit? A GitHub Actions workflow that used a floating tag instead of pinning to a specific commit hash. No user data leaked and no malware was signed, but every Mac user running ChatGPT Desktop, Codex, or Atlas needs to update now. Old versions stop working May 8. The incident reveals how a single dependency slip in a build pipeline can trigger a certificate crisis affecting millions, even when nothing actually gets compromised.
What happened
A poisoned version of the widely used Axios library slipped into OpenAI's macOS app-signing workflow on March 31, forcing the company to rotate its entire code-signing certificate. The culprit? A GitHub Actions workflow that used a floating tag instead of pinning to a specific commit hash. No user data leaked and no malware was signed, but every Mac user running ChatGPT Desktop, Codex, or Atlas needs to update now. Old versions stop working May 8.
Why it matters
The incident reveals how a single dependency slip in a build pipeline can trigger a certificate crisis affecting millions, even when nothing actually gets compromised.