Sam saw a macOS alert saying codex-aarch64-apple-darwin was blocked and moved to Trash because it contained malware. The goal was to determine whether Codex had deployed malware locally or whether this was a stale Codex installation artifact caught by macOS security.
I inspected the trashed binary, quarantine metadata, Homebrew cask metadata, code signature, Gatekeeper status, current Codex app signature, likely persistence locations, and running Codex-related processes. The strongest validation was a fresh download of the official release asset named in Homebrew metadata: https://github.com/openai/codex/releases/download/rust-v0.107.0/codex-aarch64-apple-darwin.tar.gz. The downloaded tarball matched Homebrew's expected SHA-256, and the extracted binary hash exactly matched the file macOS moved to Trash.
Conclusion: this was not malware deployed by a workspace task. It was the old official OpenAI Codex CLI installed through Homebrew, later blocked by macOS because the old signing certificate now reports as revoked.
A broad find /Users/samaguiar -name codex-aarch64-apple-darwin* search was too slow, so I stopped it and switched to targeted checks in Trash, .codex, Downloads, Homebrew paths, application support, temp folders, and /Applications. macOS unified log searches did not return useful event details for the alert, likely because the relevant security UI event was not retained in readable logs or was privacy-filtered.
A Notion enhanced Markdown spec fetch using notion://docs/enhanced-markdown-spec returned INVALID_ARGUMENT; the export used simple Notion Markdown instead.
I preserved the trashed binary rather than deleting it because it is still useful evidence. I did not uninstall or reinstall the Homebrew cask without Sam choosing the cleanup path. The active Codex app at /Applications/Codex.app was verified separately and passes Gatekeeper with a stapled notarization ticket.
Local incident note: /Users/samaguiar/Documents/Projects/admin/session_logs/codex-malware-alert-investigation-2026-05-10.md
QA queue mirror: /Users/samaguiar/Documents/Codex/_qa-queue/2026-05-10.md
Trashed evidence file: /Users/samaguiar/.Trash/codex-aarch64-apple-darwin
Stale Homebrew symlink: /opt/homebrew/bin/codex points to /opt/homebrew/Caskroom/codex/0.107.0/codex-aarch64-apple-darwin, whose target is now missing.
Active Codex app: /Applications/Codex.app, version 26.506.31421, accepted by Gatekeeper.
The investigation is complete. The old binary remains in Trash. The active Codex app is still running and accepted by Gatekeeper. The Homebrew cask is stale and leaves a dangling symlink, but it is not currently what which codex resolves to inside this Codex session.
QA Recommendations Pending Approval