OpenAI Rotates App Certificates After 2 Devices Hit, Requiring macOS Updates by June 12
Updated
Updated · OpenAI · May 13
OpenAI Rotates App Certificates After 2 Devices Hit, Requiring macOS Updates by June 12
2 articles · Updated · OpenAI · May 13
Two employee devices were compromised in the TanStack npm supply-chain attack, prompting OpenAI to rotate product code-signing certificates and require macOS users to update apps by June 12, 2026.
OpenAI said the malware reached a limited set of internal source-code repositories, where only credential material was exfiltrated; it found no evidence of customer-data exposure, product tampering, or intellectual-property compromise.
The company isolated affected systems, revoked sessions, rotated repository credentials, restricted code-deployment workflows, and hired a third-party incident-response firm while reviewing prior software notarizations for misuse.
June 12 is the planned revocation date for the old certificate; after that, macOS will block new downloads and launches of apps signed with it, while Windows and iOS users need take no action.
OpenAI said the incident hit during a phased rollout of stronger package and CI/CD protections, underscoring a wider shift toward attacks on shared open-source dependencies and developer tooling.
Why is OpenAI waiting two years to revoke stolen keys, and what risks do users face in the meantime?
If a trusted library can become a weapon against OpenAI, is any software truly safe from supply chain attacks?