OpenAI has confirmed that employee devices were compromised during the recent Mini Shai-Hulud supply-chain attack that spread through hundreds of malicious npm and PyPI packages tied to the broader TanStack ecosystem compromise.
In a newly published security advisory, OpenAI said 2 employee devices were impacted during the campaign, leading the company to rotate code-signing certificates used for macOS, Windows, iOS, and Android applications as a precaution.
The company stated that customer data, production systems, deployed services, and intellectual property were not affected by the incident. However, OpenAI acknowledged that attackers gained unauthorized access to a limited subset of internal source code repositories accessible to the impacted employees.
The incident adds one of the highest-profile confirmed victims so far to the rapidly expanding Mini Shai-Hulud campaign, which has already been linked to compromises involving TanStack, Mistral AI, UiPath, Guardrails AI, OpenSearch, and other developer ecosystems.
BreachNews previously covered how the broader Mini Shai-Hulud supply-chain campaign weaponized trusted CI/CD workflows to distribute malicious packages through legitimate publishing pipelines.
Attackers abused trusted software release infrastructure
According to OpenAI, investigators observed activity consistent with publicly documented Mini Shai-Hulud malware behavior, including credential-focused data theft and unauthorized repository access.
The company said only a limited number of credentials were exposed and that there is currently no evidence the stolen information was used in additional attacks.
The broader campaign has drawn significant attention across the cybersecurity industry because attackers reportedly compromised trusted GitHub Actions publishing workflows rather than simply stealing maintainer passwords or uploading fake packages.
Researchers investigating the attacks found that malicious packages were distributed through legitimate software release pipelines using valid publishing identities and trusted automation infrastructure.
That allowed compromised packages to appear authentic even while carrying malicious payloads designed to steal cloud credentials, GitHub tokens, SSH keys, Kubernetes secrets, and developer environment data.
Security researchers also reported that some malicious releases carried valid provenance attestations, highlighting how attackers increasingly target the software delivery process itself rather than attempting to bypass downstream verification mechanisms.
The campaign has been widely linked to TeamPCP, a threat group previously associated with multiple software supply-chain incidents covered by BreachNews, including the Bitwarden CLI compromise and earlier attacks involving developer tooling ecosystems.
Certificate rotation impacts desktop application users
As part of its response, OpenAI said it isolated affected systems, revoked active sessions, rotated repository credentials, and temporarily restricted certain deployment workflows while conducting a forensic investigation with the assistance of a third-party incident response firm.
The company also rotated application code-signing certificates after determining the certificates may have been exposed during the incident.
OpenAI warned that macOS users will need to update desktop applications before June 12, 2026, because applications signed with older certificates may stop launching or receiving updates due to Apple notarization requirements.
Windows and iOS users were reportedly not impacted by the certificate rotation process.
The Mini Shai-Hulud campaign continues to highlight growing concerns around the security of interconnected developer ecosystems, where compromises affecting a single trusted dependency or CI/CD workflow can rapidly cascade across thousands of downstream projects and organizations.
The incident also reinforces how modern software supply-chain attacks increasingly focus on abusing automation, identity federation, and trusted publishing systems rather than relying solely on traditional malware delivery methods.
At time of publication, OpenAI had not reported evidence of customer-facing compromise or malicious software signed using the exposed certificates.
Read more BreachNews coverage on TeamPCP and ongoing software supply-chain attacks.
