OpenAI Got Hit. Here's What Was Taken.

OpenAI has confirmed that two of its employee devices were compromised through the Mini Shai-Hulud supply chain campaign, according to Daily Security Review.

What the attackers walked away with: code-signing certificates used to authenticate OpenAI's official macOS, Windows, iOS, and Android applications. Plus access to limited internal source code repositories.

The certificates that tell your phone or laptop "this software is legitimately from OpenAI" were stolen.

OpenAI says it rotated all affected credentials and revoked the certificates before any confirmed misuse. A third-party incident response firm found the intrusion confined to those two devices and the specific materials they touched. No customer data. No production systems. No deployed software tampered with — as far as they can tell.

But macOS users have until June 12, 2026 to update their OpenAI applications to binaries signed with the new certificates. After that, the old ones are dead. If you're using OpenAI's desktop app and haven't updated — do it now.

How 633 Packages Passed Security Checks They Should Have Failed

The attackers didn't just steal credentials and publish malicious packages. They broke npm's last automated trust signal — Sigstore provenance verification.

On May 19, 633 malicious npm package versions passed Sigstore verification, according to VentureBeat. The system flagged them as clean. Why? Because Sigstore worked exactly as designed. It confirmed the package was built in a CI environment. It confirmed a valid certificate was issued. It logged everything.

What it cannot do is determine whether the person holding those credentials actually authorized the action. The attacker had compromised a maintainer account, generated valid signing certificates from it, and published packages that looked perfectly legitimate to every automated check in the pipeline.

The trust signal wasn't defeated. It was used as a disguise.

The Worm's Mechanics — And Why Detection Came Too Late for Many

Endor Labs traced the campaign's origin to two dormant packages: jest-canvas-mock and size-sensor — neither had published an update in over three years. Suddenly, on May 19 at 01:39 UTC, both pushed new versions containing an obfuscated 498KB Bun script with raw GitHub commit hash dependencies.

Most tooling wasn't actively watching for this kind of change.

By 02:06 UTC — 27 minutes later — the worm had propagated across the entire @antv data visualization ecosystem and dozens of unscoped packages, including echarts-for-react, which pulls roughly 1.1 million weekly downloads, according to VentureBeat.

Socket's detection systems flagged most malicious activity within 6 to 12 minutes of publication, with a median detection time of 6.7 minutes, according to Cybersecurity News. But in those minutes, 639 compromised versions across 323 unique packages had already spread in that single wave.

Across the full campaign lifecycle — npm, PyPI, and Composer combined — Socket has now tracked 1,055 malicious versions across 502 packages.

What Gets Stolen, and Where It Goes

The payload targets specific assets. Per Cybersecurity News, it goes after:

• GitHub tokens, npm publish tokens, AWS credentials
• Kubernetes service account material
• Vault tokens, SSH keys, Docker auth files
• Database connection strings
• `.env` files

It contains explicit logic for 18+ CI/CD platforms — GitHub Actions, GitLab CI, CircleCI, Jenkins, Azure DevOps, AWS CodeBuild, Vercel, Netlify, Cloudflare Pages. This focused the attack on the infrastructure developers use to build and ship software.

The stolen data gets gzip-compressed, AES-256-GCM encrypted, and the AES key is RSA-OAEP wrapped before transmission to a hardcoded HTTPS endpoint. Recovery from network telemetry is not feasible.

If the payload finds a usable GitHub token, it creates repositories under the victim's account and commits stolen data there — using the victim's own infrastructure to store the loot.

One Day Earlier: 6,000 Auto-Updates Delivered Malware in 40 Minutes

A day before, on May 18, attackers used stolen credentials to publish version 18.95.0 of the Nx Console VS Code extension — more than 2.2 million lifetime installs, according to VentureBeat.

The malicious version stayed live for under 40 minutes. Internal telemetry from Nx showed approximately 6,000 activations during that window — almost entirely through auto-update. Official download count: 28.

Auto-update delivered the malware. The users never clicked anything.

That version harvested Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens.

Precedent and Pattern

The Bleeping Computer report, dated April 22, 2026, documented an earlier wave of the same worm behavior — attributed to techniques similar to TeamPCP's prior CanisterWorm attacks — hitting AI agent tooling packages from Namastex Labs.

Research teams at Endor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC, and LayerX have independently confirmed that six separate attack surfaces failed in the 48 hours between May 18 and May 19 alone: npm provenance forgery, VS Code extension credential theft, MCP server auto-execution, CI/CD agent prompt injection, agent framework code execution, and IDE credential storage exposure.

No single vendor framework covers all of them.

What This Means for You

If you run JavaScript, Python, or PHP builds in CI/CD — audit your dependency trees. Now. Not next sprint.

If you installed any npm package between May 18-19, check Socket's published indicators of compromise.

If you use OpenAI's desktop app on macOS, update before June 12 or it stops working.

If your organization's security plan relies on Sigstore provenance as a final trust gate, reconsider that strategy.