Push Security reports that attackers are creating OpenAI organizations that impersonate legitimate companies and inviting employees, including at cybersecurity firms, to join them, aiming to trick people into entering sensitive company information into chats and projects under attacker control. The danger is that the invitations come from OpenAI's own infrastructure, so they are genuine messages and slip past email security controls that would catch ordinary phishing. It is a reminder that trusted SaaS platforms can be turned into phishing channels through their normal invitation features, where the message itself is legitimate even though the inviting organization is fraudulent. Verification of unexpected invites is the key defense.
Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.
LiteLLM, the popular open-source gateway used to centralize API access for OpenAI, Anthropic, and other AI providers, has a critical pre-authentication SQL injection bug that attackers started exploiting just 36 hours after the security advisory went public. The flaw lets anyone who can reach the proxy port read all the API keys stored inside - including master keys, virtual keys, and provider credentials. The bug was in the bearer-token check: the token was concatenated into a SQL query instead of passed as a parameter. Sysdig saw the first attack at 04:24 UTC on April 26, hitting three tables that hold the most valuable secrets.