If you use ChatGPT Desktop, Codex, or Atlas on macOS -- update before May 8 or your apps stop working. Here's the two-minute version of why.

On March 31, a GitHub Actions workflow OpenAI uses to sign their macOS apps pulled down a compromised version of Axios (v1.14.1). That workflow had access to the certificates that tell macOS "this software is legitimately from OpenAI." North Korean threat actors (UNC1069) had socially engineered an npm maintainer and slipped a malicious version into the package.

The root cause? A floating tag on a dependency instead of a pinned commit hash, and no minimum release age check on new packages. That's it. No exotic zero-day. Just a config gap.

OpenAI believes the cert probably wasn't exfiltrated -- but "probably" isn't good enough when the alternative is someone signing malware that macOS Gatekeeper trusts as legitimate OpenAI software. So they're revoking the old cert entirely on May 8.

For your own pipelines, the lesson is simple: pin dependencies to commit hashes, not floating tags, and enforce a minimum release age before trusting new package versions.

Update through the app or official download page -- not from any email link. That's exactly the kind of situation attackers use to push fake installers.

One config option. Massive downstream consequences.