OpenAI: Shai-Hulud malware accessed limited internal code

OpenAI confirmed in a Wednesday blog post that malware linked to the Shai-Hulud campaign breached parts of its internal development environment after a compromised TanStack npm package infected two employee devices. Attackers gained access to a limited set of internal source code repositories.

The malicious package infected two employee machines and allowed unauthorized access and credential-focused exfiltration in the repositories those employees could reach. OpenAI reported it stopped the activity and is rotating code-signing certificates used for macOS, Windows and iOS as a precaution.

The company found no evidence that customer data, production systems or core company technology were affected. Impact was limited to internal code storage systems and the specific repositories the two employees could access.

The affected repositories included code-signing certificates used to verify OpenAI software on macOS, Windows and iOS. OpenAI warned that macOS users must update OpenAI applications before June 12; older versions signed with the previous certificates may stop working after that date. Windows and iOS users do not need to take action now, and the company said it will provide additional guidance to macOS customers.

OpenAI described the observed activity as consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration in a small subset of repositories. “We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access,” the company wrote. “As a result, we are rotating code-signing certificates as a precaution, which will require macOS users to update their applications.”

The disclosure follows related activity tied to the same malware campaign that has targeted open-source tools used in AI development. Security teams at affected organizations have been rotating credentials, removing compromised packages and scanning systems for signs of further compromise.

One related case involved a Mistral AI package distributed on PyPI. Security researchers reported attackers inserted malicious code that ran on Linux systems and downloaded a secondary payload named transformers.pyz, designed to resemble a popular Transformers library.

OpenAI reported no theft of intellectual property or customer account data and said it has taken steps to harden its development environment. The company will continue its investigation and provide updates if it finds additional impact.