OpenAI revoked security certificates for its macOS ChatGPT application over the weekend after identifying that a third-party JavaScript library used in the app had been compromised in a supply chain attack.

The incident centers on Axios, a popular HTTP client library for JavaScript with over 100 million weekly downloads on npm, the primary package repository for Node.js developers. According to reports from The Hacker News and The Cyber Express, malicious actors gained access to the Axios npm package and injected unauthorized code, creating a potential security vulnerability for any application using the compromised version.

OpenAI moved quickly to contain the situation. In a statement to The Hindu, the company confirmed it had "identified a security issue involving a third-party tool" but emphasized that "user data was not accessed." The company declined to provide additional technical details about the nature of the malicious code or how long the compromised version may have been in circulation.

Emergency Certificate Revocation

The most immediate impact for users is OpenAI's decision to revoke its existing macOS app certificates — the cryptographic credentials that verify the ChatGPT app's authenticity to Apple's operating system. Without valid certificates, the application will eventually stop functioning on macOS devices.

As reported by The Times of India, OpenAI is urging all Mac users to update their ChatGPT application immediately. Users who fail to install the updated version with new certificates may find themselves locked out of the application as the old certificates expire.

"Update app now or risk losing access," OpenAI warned in user notifications, according to The Times of India. The company has pushed the patched version through its standard update channels.

The Growing Threat of Supply Chain Attacks

The incident highlights the persistent vulnerability of software supply chains, particularly in the JavaScript ecosystem where applications routinely depend on dozens or hundreds of third-party packages. Axios, maintained by a small team of open-source developers, has become infrastructure-level code for countless web and desktop applications.

Supply chain attacks have emerged as one of the most effective vectors for cybercriminals and state-sponsored actors. By compromising a single widely-used library, attackers can potentially gain access to thousands of downstream applications and their users. Previous high-profile incidents include the 2020 SolarWinds breach and the 2021 compromise of the ua-parser-js npm package.

According to AIBase, OpenAI's response included not just certificate rotation but also updates to its dependency management and security scanning processes to detect similar threats more quickly in the future.

No Evidence of Data Breach

OpenAI's statement that user data was not accessed suggests the company either detected the threat before any malicious payload could execute, or that the compromised code did not successfully exfiltrate information from ChatGPT's macOS application. The company has not disclosed whether it found evidence of attempted data access or what specific malicious functionality the injected code contained.

The timing of OpenAI's discovery and the speed of its response — including the nuclear option of certificate revocation — indicates the company's security team was either monitoring for such threats or received external notification of the Axios compromise.

What Users Should Do

Mac users with ChatGPT installed should open the application and check for updates immediately. The update process should be automatic for most users, but those who have disabled automatic updates will need to manually trigger the installation.

Users can verify they have the patched version by checking the app's "About" section for the latest version number and certificate information. OpenAI has not specified an exact version number publicly, but the update should have been pushed within the past 48 hours.

The incident serves as a reminder that even applications from major technology companies rely on vast networks of open-source dependencies, any one of which can become a security liability. For developers, it underscores the importance of software composition analysis tools, dependency pinning, and rapid response capabilities when upstream packages are compromised.

As of publication, the Axios maintainers have not issued a public statement about the incident, and it remains unclear whether other applications using the library have been affected or have issued similar emergency updates.