Back

macOS Flags ChatGPT App as Malware Due to Certificate Revocation

Severity: Medium (Score: 55.5)

Sources: Letsdatascience, Osxdaily

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: chatgpt, malware, macos, flags, reinstallation, restores, notarization

Severity indicators: ot, malware

Summary

Mac users reported that the ChatGPT desktop app was flagged as malware by macOS's Xprotect system, which moved the app to the Trash. This issue arose after OpenAI revoked security certificates for older app versions due to a third-party security incident involving the developer tool Axios. Users were advised to reinstall or update the app from official sources to restore notarization. Malwarebytes also reported a related threat from a fake download site distributing malware disguised as ChatGPT installers. The fake site, openew[.]app, delivers Windows credential stealers and a macOS strain named Odyssey Stealer. OpenAI confirmed the certificate change and advised users to update their apps to avoid issues. The situation highlights both false-positive malware flags and real malware risks for users. Key Points: • macOS flagged the ChatGPT app as malware due to revoked security certificates. • Users are advised to reinstall the app from official sources to restore functionality. • A fake download site is distributing malware disguised as ChatGPT installers.

Detailed Analysis

**Impact** macOS users of the ChatGPT desktop app experienced false-positive malware detections resulting in the app being moved to Trash, causing service disruption. The issue affects users globally who have not updated to the latest notarized app version following OpenAI’s certificate revocation due to a third-party security incident. Additionally, users risk credential theft and cryptocurrency wallet compromise if they download ChatGPT installers from a malicious impersonation site distributing Windows and macOS malware, including Odyssey Stealer. No specific sector or geographic concentration was reported. **Technical Details** The root cause is OpenAI’s revocation of the macOS notarization certificate for older ChatGPT app versions after a security issue involving the third-party tool Axios, triggering macOS Xprotect to flag these apps as malware. Adversaries exploit this by hosting fake ChatGPT installers on openew[.]app, distributing a Windows credential stealer (Chat_GPT.exe) and a macOS strain (Odyssey Stealer) that targets browser data, Telegram sessions, and cryptocurrency wallets. The attack chain includes supply chain compromise (Axios incident), certificate revocation, and user deception via lookalike domains. No CVEs were specified. **Recommended Response** Users should immediately update or reinstall the ChatGPT app from official sources to restore notarization and prevent false malware flags. Organizations should enforce managed software distribution methods (MDM, official app stores) and verify vendor update notices through primary channels to avoid fake installers. Security teams must block domains like openew[.]app and monitor for indicators of Odyssey Stealer and credential-stealing payloads. Monitoring for Xprotect updates and educating users on verifying download sources are advised.

Source articles (2)

  • Mac Saying ChatGPT is Malware? Here's Why & How to Fix It — Osxdaily · 2026-05-28
    A fair number of people who use the ChatGPT app for Mac have recently run into a strange and alarming malware message when attempting to open and use ChatGPT. The error says that “Malware Blocked and…
  • macOS Flags ChatGPT App, Reinstallation Restores Notarization - Let's Data Science — Letsdatascience · 2026-05-29
    Mac users have reported that macOS's built-in malware blocker, Xprotect , flagged the ChatGPT desktop app as malware and moved it to the Trash, according to reporting from MacTrast and Forbes. MacTras…

Timeline

  • 2026-05-08 — OpenAI warns users to update ChatGPT app: OpenAI advised users to update their macOS apps by May 8, 2026, to retain notarization after a security issue was identified.
  • 2026-05-29 — macOS flags ChatGPT app as malware: Users reported that macOS's Xprotect flagged the ChatGPT app as malware and moved it to the Trash, causing confusion among users.
  • Recent — Malwarebytes reports fake download site: Malwarebytes identified a site, openew[.]app, distributing fake ChatGPT installers and delivering malware to users.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Supply Chain Attack (Attack Type)
  • TanStack Npm Supply Chain Attack (Campaign)
  • chatgpt.app (Domain)
  • openew.app (Domain)
  • Odyssey Stealer (Malware)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • MacOS (Platform)
  • Windows (Platform)
  • Axios (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed