OpenAI confirmed it was caught up in the "Mini Shai-Hulud" npm supply chain attack, in which malware hidden in compromised TanStack packages reached two employee devices and allowed attackers to steal a limited amount of internal credentials. The two affected machines had not yet received updated supply chain security controls that would have blocked the malicious dependency. As a precaution, OpenAI is rotating signing certificates for several desktop products — including ChatGPT Desktop, Codex App, and Codex CLI — and says there is no evidence that customer data or production systems were compromised.