OpenAI disclosed today that two employee devices were compromised by the Mini Shai-Hulud npm supply-chain campaign, exposing GitHub tokens, API keys, internal secrets, and โ most consequentially for end users โ the code-signing certificates for OpenAI's iOS, Windows, and macOS applications. The company says no customer data and no production systems were accessed; the access path was scoped to "a limited number of source code repositories" containing the signing materials. OpenAI is rotating certificates, has paused notarization with platform providers to block any malicious resubmission attempts, and engaged an external digital forensics and incident response firm during the investigation. Mac users specifically have a June 12 deadline to update the affected apps; Windows and iOS users do not need additional action beyond normal updates.
The required Mac versions are concrete: ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. If you are running any of those products on macOS, the practical action item is to install the official updates from OpenAI's distribution channels before June 12 and not from any other source. The risk profile here is not that today's apps are unsafe โ they are signed with the pre-incident certs that are being rotated out โ but that stolen signing materials let attackers produce malware that looks legitimate enough to bypass macOS Gatekeeper warnings and trick users into trusting it. Once the cert rotation completes, attempting to install builds signed with the old materials will fail verification, which is the intended outcome.
The Mini Shai-Hulud framing matters. The original Shai-Hulud worm from 2025 was a self-propagating npm attack that compromised hundreds of packages by chaining maintainer credentials. The "Mini" naming suggests a smaller, targeted follow-up campaign that focused on developer credentials at specific organizations rather than mass propagation. OpenAI is the highest-profile confirmed victim so far, but the same campaign infrastructure that hit two of their developers could be hitting smaller teams that have not noticed yet. The technical pattern is the same one builders should now treat as routine: a compromised dependency in the npm graph harvests credentials from developer machines and sells the keychain access onward. The mitigation is the same one that has been a known practice for two years and is still inconsistently deployed: hardware-bound credentials (signing keys in HSMs or hardware tokens, GitHub tokens scoped narrowly and rotated frequently), separation of build infrastructure from developer workstations, and CI-side notarization rather than developer-laptop notarization.
For builders shipping signed software: audit which credentials are stored in plain files on developer laptops right now, and assume Mini Shai-Hulud or a successor has the capability to read them. The OpenAI response timeline โ detect, isolate devices, engage DFIR, rotate certs, pause notarization, advise users with a hard date โ is the playbook to copy if this hits you. The window between cert exposure and forced user-side update is the window in which malicious signed builds can circulate; OpenAI is asking for roughly four weeks. The hard question every team running a signed-software pipeline needs to answer is whether your own playbook gets you under that window or over it.