OpenAI says a recent software supply-chain attack tied to the “Mini Shai-Hulud” malware campaign impacted two employee devices and exposed limited internal credentials, prompting the company to rotate code-signing certificates for its desktop applications.
The company said it found no evidence that customer data, production systems, or intellectual property were compromised.
The disclosure follows a wider open-source ecosystem breach disclosed earlier this week involving hundreds of malicious npm and PyPI packages connected to compromised projects from TanStack, Mistral AI, UiPath, OpenSearch, and others.
In a security advisory published Thursday, OpenAI said the incident began on May 11, 2026, when attackers compromised the widely used TanStack npm ecosystem as part of the broader Mini Shai-Hulud campaign. The company said two employee devices inside its corporate environment downloaded the malicious package before newer supply-chain protections had been fully deployed.
According to OpenAI, the malware activity matched publicly documented behavior associated with Mini Shai-Hulud, including credential theft and unauthorized access attempts targeting source code repositories. The company said the attackers successfully exfiltrated “limited credential material” from a small number of internal repositories accessible to the affected employees.
The compromised repositories included code-signing certificates used to validate OpenAI software releases. As a precaution, the company is now rotating those certificates and requiring macOS users to update their applications before June 12, 2026.
OpenAI said it isolated the impacted systems, revoked user sessions, rotated credentials tied to affected repositories, temporarily restricted deployment workflows, and engaged a third-party digital forensics and incident response firm to assist with the investigation.
“We have found no evidence that OpenAI products or user data were compromised or exposed,” the company stated in its FAQ. It also said investigators found no evidence that malware had been signed using OpenAI certificates or that existing software installations had been altered.
The company warned that once the older certificates are revoked on June 12, macOS security protections will block new downloads and launches of applications signed with the previous credentials. Users must update to newer versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas before that deadline to avoid disruptions.
Windows and iOS users do not need to take action, though OpenAI confirmed that signing keys for Windows, macOS, iOS, and Android were all included in the affected repositories and are being replaced.
The Mini Shai-Hulud campaign emerged earlier this week after researchers discovered attackers abusing weaknesses in GitHub Actions workflows to compromise npm packages maintained by TanStack. Attackers reportedly chained together several techniques, including cache poisoning and extraction of OpenID Connect publishing tokens from GitHub runners, allowing them to automatically republish malicious package versions using stolen credentials.
The malware deployed heavily obfuscated payloads to harvest GitHub tokens, npm credentials, AWS keys, Kubernetes tokens, SSH keys, and CI environment secrets. Researchers also found persistence mechanisms targeting Visual Studio Code and Anthropic Claude Code environments.
OpenAI added that it had accelerated deployment of additional protections after the earlier Axios-related supply-chain incident, including stricter package provenance validation, hardened CI/CD credential handling, and package manager controls such as minimumReleaseAge designed to reduce exposure to newly published malicious packages.
Leave a Reply