OpenAI confirms credential theft in ChatGPT Mac app security breach

OpenAI has confirmed a security breach affecting its ChatGPT desktop application for Mac, following a supply chain compromise of the open-source library TanStack. The incident impacted two employee devices, resulting in the exfiltration of limited credential material from internal source code repositories accessible to the affected staff.

The company stated that no user data, production systems, or intellectual property were accessed during the incident. OpenAI has engaged a third-party digital forensics and incident response firm to investigate the breach and is rotating digital certificates as a precautionary measure.

A software update is currently being rolled out to macOS users, with full deployment expected by June 12. Users on other platforms, including Windows and iOS, are unaffected and do not need to take action. OpenAI has advised Mac users to update the application when prompted.

This event follows previous security concerns regarding the ChatGPT Mac app. In 2024, a developer discovered that the application was storing user conversations locally in plain text rather than encrypting them. OpenAI has previously stated that there is no evidence of compromise to existing software installations or production systems.

The full extent of the impact on the compromised code repositories remains under investigation. The company emphasised that the breach was a supply chain compromise affecting employee access, rather than a direct attack on OpenAI’s core infrastructure.