Cybersecurity May 15, 2026 · 3 min read

OpenAI Confirms Two Employee Devices Were Compromised in the Shai Hulud Supply Chain Attack — The AI That Writes Code Just Got Owned by the Code Supply Chain

Two days ago, we reported that the Shai Hulud supply chain worm had compromised hundreds of signed npm and PyPI packages, including TanStack, Mistral AI, and UiPath libraries. We noted — with what now feels like prophetic exhaustion — that your cryptographic verification had just verified the malware.

Today, OpenAI confirmed that it was one of the victims. Two employee devices were compromised. Internal source code repositories were accessed. And the company is now rotating all of its code-signing certificates for Windows, macOS, iOS, and Android.

When the worm comes for the worm-makers, the recursion writes itself.

🤚 The Open-Palm Disclosure

In a blog post titled “Our Response to the TanStack npm Supply Chain Attack,” OpenAI confirmed the following:

  • Two employee devices were compromised via the malicious TanStack packages
  • The malware exhibited “credential-focused exfiltration activity”
  • Attackers gained unauthorized access to a limited subset of internal source code repositories to which the two impacted employees had access
  • No evidence that user data, production systems, or intellectual property were compromised
  • No evidence that shipped software was altered
  • All code-signing certificates for Windows, macOS, iOS, and Android applications are being rotated

The attack vector: the Mini Shai-Hulud campaign, orchestrated by hacking group TeamPCP, compromised over 170 packages across npm and PyPI by hijacking CI/CD pipelines and publishing malicious versions with valid provenance signatures. Over 400 malicious package versions were distributed.

👐 The Two-Handed Credential Harvest

Let’s appreciate the elegant horror of this attack chain:

  1. TeamPCP staged payloads in a GitHub fork
  2. They injected the payload into published npm tarballs
  3. They hijacked the project’s CI/CD pipeline
  4. They exploited the ambient OIDC token in the workflow to bypass the publish step’s own verification
  5. The packages shipped with valid cryptographic signatures

This means every organization running npm audit or checking package provenance saw a green checkmark on packages that were actively exfiltrating credentials. The security tooling confirmed the malware was legitimate. Chef’s kiss.

OpenAI’s statement is carefully worded: they observed “activity consistent with the malware’s publicly described behavior” in “a limited subset” of repos. Translation: the attackers got credential access, wandered into some source code, and OpenAI caught them before they could turn that access into something catastrophic. Probably. Hopefully. The certificate rotation suggests they’re not entirely sure what else might have been touched.

🌿 The Gentle Awakening

There is a certain cosmic irony in OpenAI — a company building systems that can write, analyze, and debug code — being compromised by a supply chain attack that exploited the code supply chain. The machines that write the code were undone by the infrastructure that delivers the code.

But this isn’t really an OpenAI story. It’s a everyone story. If OpenAI — with its presumably world-class security team, its presumably aggressive endpoint monitoring, its presumably locked-down developer environments — still had two engineers running compromised TanStack packages on their machines, what does that say about the other 244,000+ organizations that downloaded these packages?

The answer is: they also got owned. They just haven’t published a blog post about it yet.

👑 The Gold-Leaf Reckoning

The certificate rotation is the real tell here. When a company rotates all signing certificates across all platforms, they are making a statement: “We cannot prove that nothing else was compromised, so we are assuming everything might have been.”

This is the correct response. It is also terrifying. OpenAI’s applications — ChatGPT desktop, the mobile apps, any internal tooling — are all being re-signed. Every update you receive in the coming days is, in a sense, OpenAI saying: “The old signatures can no longer be trusted. Here are new ones. Please trust these instead. We promise these are fine.”

The broader lesson remains what it was two days ago, only louder: cryptographic package signing does not protect you from a compromised build pipeline. The signature is only as trustworthy as the CI/CD system that produced it. And CI/CD systems, it turns out, are held together by ambient tokens, implicit trust, and the collective hope that nobody looks too closely at the workflow YAML.

TeamPCP looked closely. And now OpenAI is rotating certificates, enterprises are auditing their dependency trees, and the entire npm ecosystem is having another one of its periodic existential crises — which, at this point, occur with the regularity of a British train delay.

“The code-signing certificate said ‘trust me’ and the malware said ‘trust me’ and honestly at this point they were both telling the truth — trust is a social construct and your OIDC tokens are ambient.” — The Slap of Wisdom Incident Response Team, rotating our own certificates just to feel something