OpenAI confirmed a security breach affecting two employee devices, stemming from the “Mini Shai-Hulud” campaign that trojanized hundreds of npm and PyPI packages. The intrusion exposed limited internal source code repositories and, critically, code-signing certificates used to sign OpenAI’s macOS, Windows, iOS, and Android applications. OpenAI has rotated all affected credentials and certificates; macOS users face a June 12, 2026 deadline to update their applications to binaries signed with the new certificates.
Mini Shai-Hulud Campaign Compromised OpenAI via Trojanized CI/CD Packages
The Mini Shai-Hulud campaign targeted developers by publishing malicious packages to npm and PyPI through compromised maintainer accounts and hijacked GitHub Actions workflows. Attackers obtained developer credentials and used them to inject malicious code into legitimate CI/CD pipelines, which then harvested additional credentials from the build environments they reached. The campaign targeted GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and .env files.
At OpenAI, the malicious packages executed on two employee devices and successfully exfiltrated credentials that provided access to limited internal source code repositories and the code-signing certificates for all four of OpenAI’s major application platforms. Socket and Aikido Security researchers tracked the compromised packages across npm and PyPI and provided indicators to affected organizations.
Code-Signing Certificates for macOS, Windows, iOS, and Android Applications Exposed
The code-signing certificates stolen from OpenAI were used to authenticate the official OpenAI applications distributed to end users. Code-signing certificates allow operating systems and app stores to verify that software comes from a trusted publisher and has not been tampered with since it was signed. Exposure of these certificates would theoretically allow an attacker to sign modified or entirely new applications that appear to be legitimate OpenAI software.
OpenAI confirmed that the stolen certificates were revoked before any evidence of misuse was identified. No customer data, production systems, intellectual property, or deployed software was impacted by the breach. Forensic investigation by a third-party incident response firm found the scope of the intrusion limited to the two employee devices and the specific credential and certificate material they accessed.
macOS Users Have Until June 12 to Update Before Old Certificates Expire
OpenAI issued a deadline of June 12, 2026 for macOS users to update their OpenAI applications. The deadline corresponds to the rotation of code-signing certificates — after June 12, OpenAI’s macOS applications will be signed exclusively with newly issued certificates, and the old certificates will be fully revoked. macOS users running outdated application versions may encounter warnings or blocked launches from Gatekeeper once the old certificate authority chain is deactivated.
Windows, iOS, and Android users are also advised to update their OpenAI applications to receive binaries signed under the new certificates. OpenAI’s response actions included isolating the affected employee devices, revoking all active sessions on the compromised accounts, rotating every credential the attacker accessed, restricting deployment workflows to prevent unauthorized pipeline execution, and engaging an external incident response firm for forensic analysis.
OpenAI and Mistral AI Breach from the Same Shai-Hulud Campaign Family
The Mini Shai-Hulud campaign at OpenAI shares a family of tactics with the broader Shai-Hulud supply chain attack that separately compromised Mistral AI, where approximately 450 source code repositories are now being sold on hacking forums by the threat group TeamPCP. Both incidents exploited stolen CI/CD credentials to contaminate development environments, suggesting a coordinated campaign targeting the development pipelines of AI companies specifically.
The simultaneous confirmation of breaches at two major AI companies through variants of the same supply chain campaign highlights the exposure of AI development infrastructure to attacks that exploit the dense dependency chains and automated CI/CD pipelines common in modern software development. Organizations should audit their npm and PyPI dependencies, review GitHub Actions workflow permissions, and verify that third-party package publishers match known maintainer accounts — particularly for packages that have recently transferred ownership or resumed publishing activity after extended dormancy.
