OpenAI disclosed that two of its employee devices in its corporate environment were affected by the Mini Shai-Hulud supply chain attack on TanStack, but said that no user data, production systems, or intellectual property was compromised or modified in an unauthorized manner.
“Once we identified the malicious activity, we quickly took steps to investigate, contain, and protect our systems,” OpenAI said in a statement. “We observed activity consistent with published malware behavior, including unauthorized access and credential-focused theft activity, in a limited subset of internal source code repositories that were accessed by the two affected employees.”
The artificial intelligence (AI) startup added that only limited credentials were successfully transferred from these code repositories and no other information or code was affected.
OpenAI said that after being alerted to this activity, it isolated affected systems and identities, revoked user sessions, rotated all credentials between affected repositories, temporarily restricted code deployment workflows, and audited user and credential behavior.
Because the affected repositories contained signing certificates for iOS, macOS, and Windows products, the company took steps to revoke the certificates and issue new ones. Therefore, macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas should update their apps to the latest versions.
“This protects against the unlikely risk of someone attempting to distribute a fake app that appears to be from OpenAI,” OpenAI said. “Users do not need to take any action for Windows and iOS apps.”
The certificate is scheduled to expire on June 12, 2026, after which new downloads and launches of apps signed with the previous certificate will be blocked by built-in macOS protections. Therefore, for optimal protection, users are advised to apply updates before the deadline.
This is the second time in recent months that OpenAI has rotated its macOS code signing certificate. The company rotated certificates around mid-April 2026 after a GitHub Actions workflow used to sign macOS apps downloaded the malicious Axios library on March 31st. This library was compromised by a North Korean hacking group called UNC1069.
“This incident reflects a broader shift in the threat landscape, with attackers increasingly targeting shared software dependencies and development tools rather than single companies,” OpenAI said in a statement.
“Modern software is built on a deeply interconnected ecosystem of open source libraries, package managers, and continuous integration and continuous deployment infrastructure. This means vulnerabilities introduced upstream can propagate widely and quickly throughout an organization.”
This development comes on the heels of TeamPCP compromising hundreds of packages related to TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI, resulting in a number of new victims as part of an ongoing supply chain attack campaign aimed at delivering malware to downstream developers, stealing credentials from their systems, and further expanding the scope of the breach.
“Just to be clear, the maintainers have never been phished, passwords compromised, or tokens stolen from their accounts,” TanStack said. “The attacker was able to engineer a path for our proprietary CI pipeline to steal its own issued tokens via a cache that everyone in the chain implicitly trusted. This is something we take very seriously.”
TeamPCP then announced a supply chain attack contest in partnership with Breached cybercrime, offering participants $1,000 in Monero to compromise open source packages using the Shai-Hulud worm, which the company is making available to others for free. The hacker group is also threatening to leak around 5GB of internal source code from Mistral AI and demanding a $25,000 BIN from potential buyers.
“We are looking for $25,000 BINs, or they can pay this, and we will shred these forever, sell only to the best offer, and limit it to one person. If we don’t find a buyer within a week, we will leak all of this for free on the forums,” TeamPCP said in a post.
In an updated advisory, Mistral AI acknowledged that it was affected by a supply chain attack caused by the TanStac breach, which led to the release of trojanized versions of its npm and PyPI SDKs. It also said a single developer device was affected by the hack. There is no evidence that its infrastructure was compromised.
A closer analysis of the modular Python toolkit delivered to Linux systems via the Guardrails-ai and Mistralai packages revealed a primary command and control (C2) server address (‘83.142.209’).[.]194″) is hardcoded. If the primary C2 becomes unreachable, a fallback mechanism called FIRESCALE is activated.
“If the primary C2 is unavailable, the malware searches all public GitHub commit messages worldwide for an alternate signed server URL that is verified against an embedded 4096-bit RSA key,” Hunt.io said. “The theft follows three paths in sequence: the primary C2 server, the FIRESCALE deaddrop redirect, and the victim’s own GitHub repository. If you block one tier, the other two tiers remain intact.”
The company also revealed that the collection module responsible for collecting Amazon Web Services (AWS) credentials covers all 19 availability zones on its target list, including us-gov-east-1 (AWS GovCloud – US East) and us-gov-west-1 (AWS GovCloud – US West), which are limited to US government agencies and defense contractors.
Another unusual aspect of this campaign is the destructive behavior that accompanies it. On machines geographically located in Israel or Iran, a 1 in 6 probability gate activates audio playback at maximum volume, after which all accessible files are deleted. This malware exists on systems with Russian locale.
The targeting of specific geographic regions mirrors the “kamikaze” wiper that TeamPCP unleashed on Iran-based Kubernetes clusters in connection with an earlier supply chain attack that distributed a self-replicating worm known as CanisterWorm. These repeated actions indicate a more deliberate operation than an opportunistic one.
“This toolkit is more capable, more resilient, and more sophisticated,” Hunt.io said. “Beyond the credentials file, the malware captures all environment variables on the machine, reads all SSH keys and settings, searches the entire home directory for dotenv files, and retrieves credentials from running Docker containers.”
Source link
