OpenAI Security Update macOS: Urgent Patch Issued After Supply-Chain Attack

OpenAI has released an urgent security update for its macOS applications following a supply-chain attack that compromised internal code-signing certificates. The breach, dubbed the Mini Shai-Hulud attack, targeted the TanStack npm library and allowed threat actors to access two employee devices. Users of the ChatGPT Desktop and Codex apps on macOS must install the latest versions by June 12, 2026, to ensure continued functionality and security.

The security incident began when attackers identified as TeamPCP deployed 84 trojanized packages within the npm registry. These malicious packages were designed to steal developer credentials and internal tokens from companies involved in AI infrastructure. OpenAI confirmed that while the attackers managed to exfiltrate code-signing certificates, no customer data or production systems were impacted by the breach. The company is now rotating all affected keys and certificates as a preventative measure.

This vulnerability is part of a broader exploit tracked as CVE-2026-45321, which carries a high-severity CVSS score of 9.6. Beyond OpenAI, other major AI firms including Mistral AI and UiPath were also targeted in the campaign. The malicious code allowed the threat actors to monitor internal activity on the compromised devices before the intrusion was detected and mitigated.

For macOS users, the OpenAI security update macOS is mandatory because Apple's Gatekeeper security system will block older versions of the apps once the compromised certificates are revoked. OpenAI stated that it is rotating certificates across macOS, iOS, and Android platforms, though the primary impact for end-users is currently focused on the desktop experience. Windows users are reportedly less affected by this specific certificate rotation.

To maintain access to AI tools, users should check for updates within the ChatGPT app or download the latest version directly from the official website. Failure to update before the June 12 deadline will result in the application being unable to launch on macOS devices. OpenAI continues to monitor its internal systems to prevent further unauthorized access following the cleanup of the trojanized developer libraries.

While we strive for accuracy, bytevyte can make mistakes. Users are advised to verify all information independently. We accept no liability for errors or omissions.

Photo by Zulfugar Karimov on Unsplash

Related Articles

• Strengthening OpenAI Developer Tool Security: Axios Patches and Ticketmaster Integration
• Oracle Adopts Monthly Security Patching to Combat AI-Powered Cyber Threats
• OpenAI Daybreak Launches with GPT-5.5-Cyber to Automate Enterprise Defense

✔Human Verified