OpenAI Forces Code Signing Certificate Rotation After TanStack Supply Chain Breach

Recent adversarial maneuvers targeting the npm ecosystem have precipitated a series of supply chain incursions, with OpenAI falling victim for the second consecutive instance. According to an official security communiqué, several employees were compromised during the TanStack supply chain incident, potentially allowing unauthorized actors to exfiltrate OpenAI’s code signing certificates.

In light of these security imperatives, OpenAI has announced a mandatory rotation of its code signing certificates to preclude the distribution of backdoored iterations of ChatGPT or other proprietary applications. Users are urged to immediately update ChatGPT, Codex, and the Atlas browser to their latest versions to ensure continued systemic integrity.

Following a forensic investigation into the TanStack event, OpenAI confirmed that the workstations of two employees were compromised after installing tainted npm packages. Upon detection of this clandestine activity, the firm swiftly initiated containment protocols to fortify its infrastructure.

While the afflicted employees possessed access to internal source code repositories, OpenAI maintains that only a negligible quantity of credentials was exfiltrated. Crucially, the core codebase remained unviolated, and all user data remains secure, with no evidence of leakage detected.

The compromised telemetry included code signing certificates for iOS, macOS, and Windows. As a precautionary measure, the re-issuance of these certificates necessitates that macOS users manually update their client software; however, Windows and iOS users require no further action at this time.

OpenAI is scheduled to formally revoke the compromised certificates on June 12, 2026. Subsequently, the macOS security framework will categorically obstruct any OpenAI for macOS software signed with the legacy credentials.

Affected and Subject to Interception:

• ChatGPT Desktop: Version 1.2026.125 and all antecedent releases
• Codex Desktop: Version 26.506.31421 and all antecedent releases
• Codex CLI: Version 0.130.0 and all antecedent releases
• Atlas Browser: Version 1.2026.119.1 and all antecedent releases