OpenAI Forces macOS Update After TanStack Supply Chain Attack Compromised Signing Keys

OpenAI is requiring all macOS users to update their applications by June 12 or risk losing access to updates and support, after a supply chain attack corrupted the signing keys used to verify the legitimacy of the company's software. The move comes as security researchers track an expanding campaign that compromised TanStack, a widely-used open-source library, along with additional npm and PyPI packages linked to multiple AI companies.

The company confirmed that two employee devices within its corporate environment were directly impacted by the attack. OpenAI has retained an incident response firm to investigate the breach and contain further spread. The attackers targeted the code-signing infrastructure, which normally allows users to verify that software originates from the legitimate developer. Without valid certificates, older versions of OpenAI applications could no longer prove their authenticity to user systems.

The broader campaign appears to have targeted the AI development ecosystem broadly, affecting packages distributed through npm and PyPI—standard channels for sharing programming libraries. OpenAI stated that the new certificates distributed through the required update will restore verification mechanisms, helping users confirm their software comes from the genuine developer. The June 12 deadline underscores the urgency: after that date, unpatched installations will no longer receive security updates or technical support, and core functionality may degrade. Security analysts are watching whether other AI companies announce similar protective measures as the full scope of the supply chain compromise continues to unfold.