OpenAI rotates – OpenAI says two employees’ devices were breached in the Mini Shai-Hulud software supply-chain campaign tied to TanStack, impacting hundreds of npm and PyPI packages. The company says no customer data, production systems, intellectual property, or deployed soft
OpenAI has confirmed it was hit indirectly in a wider TanStack-linked supply-chain attack, saying two employees’ devices were compromised and that the incident led the company to rotate code-signing certificates for its applications.
In a security advisory published today. the company said the breach did not impact customer data. production systems. intellectual property. or deployed software.. Still. OpenAI described the intrusion as credential-focused. tied to the “Mini Shai-Hulud” campaign attributed to the TeamPCP extortion gang that attackers used to slip malicious updates into widely used software packages.
OpenAI said it observed activity consistent with Mini Shai-Hulud’s publicly described behavior. including unauthorized access and credential-focused exfiltration. in a limited subset of internal source code repositories that were accessible to the two impacted employees.. The company added that only limited credentials were stolen from those repositories and that there is no evidence they were used in additional attacks.
To contain the damage, OpenAI said it isolated affected systems and accounts, revoked sessions, rotated credentials across affected repositories, and temporarily restricted deployment workflows. It also conducted a forensic investigation with the help of a third-party incident response firm.
Code signing certificates used for OpenAI products on macOS, Windows, iOS, and Android were also exposed in the incident. OpenAI said it has not detected that the exposed certificates were abused to sign malicious software, but it is rotating them as a precaution.
That precaution carries a deadline for some users: the certificate rotation will require macOS users to update their OpenAI desktop applications before June 12. 2026.. OpenAI said applications signed with older certificates may not launch or receive updates because of Apple’s notarization process.. Windows and iOS users, the company said, are not impacted and do not need to take any action.
The OpenAI breach traces back to a much larger Mini Shai-Hulud software supply-chain campaign that compromised hundreds of npm and PyPI packages earlier this week.. The attack initially targeted packages from TanStack and Mistral AI before spreading to other projects. including UiPath. Guardrails AI. and OpenSearch. through stolen CI/CD credentials and legitimate workflows.
Researchers from Socket and Aikido tracked hundreds of compromised packages distributed through legitimate package repositories.. In TanStack’s post-mortem. attackers are described as exploiting weaknesses in the project’s GitHub Actions workflows and CI/CD configuration to execute malicious code. extract tokens from memory. and publish malicious packages through TanStack’s normal release pipeline.
That approach meant attackers could publish malicious package versions through legitimate releases, with the packages appearing legitimate.. The Mini Shai-Hulud malware in the campaign targeted theft of developer and cloud credentials. including GitHub tokens. npm publish tokens. AWS credentials. Kubernetes secrets. SSH keys. and .env files.
Security researchers also said the malware established persistence on developer systems by modifying Claude Code hooks and VS Code auto-run tasks. enabling it to survive package removal.. As it spread. the malware used stolen GitHub and npm credentials to compromise maintainer accounts. inject malicious payloads into package tarballs. and publish new trojanized package versions to repositories.
A separate thread of reporting described additional behavior: Microsoft Threat Intelligence said it launched a Linux information-stealing tool targeting systems running Russian-language software.. That malware was also said to include a destructive sabotage component that would randomly execute a recursive wipe command on some Israeli or Iranian systems.
The pattern that ties OpenAI’s incident to the broader campaign is visible across the shared mechanics described here: the attackers used trusted workflows to push malicious updates. targeted credentials with exfiltration-focused behavior. and then moved through accounts and repositories rather than attacking companies directly.
OpenAI said it believes the incident reflects a growing trend in which attackers target the software supply chain rather than individual companies directly to achieve widespread impact.. “Modern software is built on a deeply interconnected ecosystem of open-source libraries. package managers. and continuous integration and continuous deployment infrastructure. which means that a vulnerability introduced upstream can propagate widely and quickly across organizations. ” the company concluded.
OpenAI TanStack Mini Shai-Hulud TeamPCP supply chain attack npm PyPI code-signing certificates macOS notarization CI/CD GitHub Actions security advisory