Hackers stole OpenAI’s npm credentials via two employee laptops but failed to reach customer data or production systems.
- Hackers stole OpenAI’s npm login details after infecting two employee devices.
- Company had to rotate signing certificates for several desktop products.
- No customer data, production systems, or deployed software were compromised.
OpenAI says attackers broke into two of its employees’ laptops last month and made off with npm account credentials, forcing the company to rotate signing certificates for several desktop products. The company revealed the breach in a short post on its security blog, saying the incident was tied to a larger campaign targeting npm ecosystems called ‘Mini Shai-Hulud.’ OpenAI stressed that no customer data, production systems, or deployed software were touched during the attack, but it still had to revoke and reissue certificates for some desktop tools to block further risk.
The breach happened just as OpenAI was rolling out new supply chain security controls. Those updates were introduced after a separate incident earlier this year, when a supply chain attack through the Axios package nearly hit OpenAI’s internal systems. The company didn’t say which employees were targeted or where they worked, but it did note that the two infected devices hadn’t yet received the latest package management protections that would have blocked the malicious dependencies used by the attackers.
How the attack unfolded
OpenAI’s security team says the hackers got in through a compromised npm package that was pulled into the employees’ development environments. Once inside, the attackers grabbed the npm credentials stored on those laptops and used them to push malicious updates through OpenAI’s internal package feeds. The company caught the breach quickly and shut it down before the packages could reach any production or customer-facing systems.
This isn’t the first time OpenAI has faced supply chain threats. Earlier this year, a similar attack via the Axios package triggered a company-wide review of how it handles third-party code. OpenAI says it’s now accelerating plans to add stricter controls, including mandatory code signing, dependency allowlisting, and automated vulnerability scanning for all internal packages.
What OpenAI’s doing now
The company has already rotated the signing certificates for the affected desktop products and is forcing all employees to update their package managers and npm clients. OpenAI’s security chief, Brad Lightcap, sent an internal memo warning teams to treat every npm package as untrusted until further notice. The memo also told employees to avoid installing packages from personal accounts and to use only packages approved by OpenAI’s security team.
OpenAI’s post didn’t mention whether any other companies were hit in the same campaign, but security researchers tracking ‘Mini Shai-Hulud’ say it’s been spreading quietly across the npm registry for weeks. The attackers appear to be targeting smaller development teams first, using stolen credentials to push malicious updates that look like legitimate patches.
Why this matters for everyone
Supply chain attacks like this one are getting harder to stop because they exploit the trust developers place in third-party code. Even a single compromised package can spread across thousands of projects in hours. OpenAI’s case shows how fast things can go wrong when attackers slip past basic defenses. It also highlights how much damage can be done before anyone notices—especially if the stolen credentials aren’t locked down tightly.
The incident comes at a time when tech companies are under pressure to lock down their software supply chains after high-profile breaches at SolarWinds, 3CX, and others. OpenAI’s response—rotating certificates, tightening controls, and pushing urgent updates—is becoming the new normal for companies that want to stay ahead of these attacks. For developers, the lesson is clear: trust no package, verify everything, and assume your credentials are always at risk.
What You Need to Know
- Source: The Register
- Published: May 15, 2026 at 10:08 UTC
- Category: Technology
- Topics: #theregister · #tech · #enterprise · #openai · #open
Read the Full Story
This is a curated summary. For the complete article, original data, quotes and full analysis:
All reporting rights belong to the respective author(s) at The Register. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.
Curated by GlobalBR News · May 15, 2026
Related Articles
- Trump Brand’s First Phone Finally Ships After 9-Month Holdup
- NYT Connections Sports Edition Answers & Hints for May 17, #601
- Tesla quietly shelves Solar Roof, bet big on cheap panels
🇧🇷 Resumo em Português
A OpenAI, criadora do ChatGPT, confirmou um ataque cibernético que expôs suas credenciais internas do npm, o maior repositório de pacotes de software do mundo, após dois dispositivos de funcionários terem sido invadidos por hackers. O incidente acende um alerta sobre a segurança em cadeias de suprimentos de software, um problema que afeta não só gigantes tecnológicos, mas também empresas e desenvolvedores brasileiros que dependem de ferramentas open source para inovação.
O ataque ocorreu após os invasores obterem acesso a máquinas de funcionários da OpenAI, roubando credenciais que davam permissão para publicar pacotes no npm. Embora a empresa tenha afirmado que nenhum dado de clientes foi comprometido, a situação reforça a vulnerabilidade de toda a cadeia de desenvolvimento de software, especialmente em um ecossistema global onde repositórios como o npm são amplamente utilizados. No Brasil, onde startups e grandes empresas apostam cada vez mais em soluções baseadas em IA e desenvolvimento ágil, o incidente serve como um lembrete urgente sobre a necessidade de reforçar medidas de segurança, como autenticação multifator e monitoramento de acessos suspeitos.
A OpenAI já iniciou a rotação de credenciais e investiga o caso, mas o episódio levanta dúvidas sobre como outras empresas podem estar expostas a riscos semelhantes, exigindo atenção redobrada no futuro próximo.
🇪🇸 Resumen en Español
OpenAI ha confirmado un grave incidente de seguridad que expuso sus credenciales internas de npm tras el hackeo de dos dispositivos de empleados, una brecha que pone en jaque la confianza en la gestión de paquetes de código más utilizada en el desarrollo de software.
El ataque, que no afectó a datos de clientes pero obligó a la empresa a rotar sus credenciales de escritorio, revela una vez más las vulnerabilidades en la cadena de suministro del software, un riesgo crítico cuando proyectos como el de OpenAI dependen de miles de dependencias externas. Para los desarrolladores hispanohablantes, este episodio subraya la importancia de reforzar la seguridad en entornos colaborativos y de auditar periódicamente los repositorios de código, especialmente en un ecosistema donde la innovación suele ir por delante de las medidas de protección.
The Register
Read full article at The Register →This post is a curated summary. All rights belong to the original author(s) and The Register.
Was this article helpful?
Discussion