When hackers got access to an account belonging to the maintainer of Axios they inserted a script that granted remote access to users’ Windows, macOS, and Linux devices. This malicious version potentially compromised ChatGPT’s macOS apps, so OpenAI is issuing an update and new certificates to mitigate any risks. The company stated in a blog post: > On March 31, 2026 (UTC), Axios, a widely used third-party developer library, was compromised as part of a broader software supply chain attack. At that time, a GitHub Actions workflow we use in the macOS app-signing process downloaded and executed a malicious version of Axios (version 1.14.1). This workflow had access to a certificate and notarization material used for signing macOS applications, including ChatGPT Desktop, Codex, Codex-cli, and Atlas. This certificate helps customers know that software comes from the legitimate developer, OpenAI.
OpenAI responds to Axios HTTP hack by updating security certificates.