OpenAI says it was impacted by a broad software supply chain attack carried out by a hacking group linked to North Korea.
In a security update, the ChatGPT creator says it had downloaded a malicious version of a widely used library called Axios, as part of a larger industry attack.
OpenAI says that at the time, a GitHub Actions workflow had access to a special certificate used to prove that macOS apps like ChatGPT Desktop are real and safe. In a worst-case scenario, hackers could use the opening to create fake OpenAI apps that look real.
“In the event that the certificate was successfully compromised by a malicious actor, they could use it to sign their own code, making it appear as legitimate OpenAI software. We have stopped new software notarizations using the old certificate, so new software signed with the old certificate by an unauthorized third party would be blocked by default by macOS security protections unless a user explicitly bypasses them.”
OpenAI says there’s no evidence that the hackers exfiltrated the certificate, stole user data or changed the firm’s software. But out of an abundance of caution, OpenAI says it is acting as if the certificate could have been exposed and is replacing it for safety.
“Effective May 8, 2026, older versions of our macOS desktop apps will no longer receive updates or support, and may not be functional. These versions represent the earliest releases signed with our updated certificate:
ChatGPT Desktop: 1.2026.051
Codex App: 26.406.40811
Codex CLI: 0.119.0
Atlas: 1.2026.84.2.”
OpenAI points to a Google Threat Intelligence Group (GTIG) report, which revealed that nation-state hackers with ties to North Korea launched a software supply chain attack that targeted Axios. According to GTIG, “hundreds of thousands of stolen secrets could potentially be circulating” as a result of the campaign.
Disclaimer: Opinions expressed at CapitalAI Daily are not investment advice. Investors should do their own due diligence before making any decisions involving securities, cryptocurrencies, or digital assets. Your transfers and trades are at your own risk, and any losses you may incur are your responsibility. CapitalAI Daily does not recommend the buying or selling of any assets, nor is CapitalAI Daily an investment advisor. See our Editorial Standards and Terms of Use.