OpenAI Exposed: TanStack Supply Chain Attack Confirmed in Major Security Breach

OpenAI has confirmed that two of its employees’ devices were compromised in the recent TanStack supply chain attack, which affected hundreds of npm and PyPI packages. As a precautionary measure, the company has rotated its application code-signing certificates.

In a security advisory released today, the company assured that the incident did not affect customer data, production systems, intellectual property, or any deployed software.

OpenAI attributes the breach to the “Mini Shai-Hulud” supply-chain campaign orchestrated by the TeamPCP extortion group. This campaign specifically targeted developers by injecting malicious updates into widely trusted software packages.

“We detected activity matching the malware’s known behavior, including unauthorized access and attempts to steal credentials, within a small number of internal source code repositories accessible to the two affected employees,” OpenAI stated.

The company emphasized that only a limited set of credentials were taken and there is no indication they were used in further attacks.

In response, OpenAI isolated the compromised systems and accounts, terminated active sessions, rotated all relevant credentials, and temporarily halted deployment processes. A third-party incident response firm assisted in the forensic investigation.

The incident also exposed code-signing certificates for OpenAI’s macOS, Windows, iOS, and Android applications. Although no misuse of these certificates has been detected, OpenAI is proactively rotating them.

macOS users will need to update their OpenAI desktop apps by June 12, 2026, as older signed applications may fail to launch or receive updates due to Apple’s notarization requirements.

Windows and iOS users are unaffected and do not need to take any action.

The TanStack supply chain attack

The OpenAI incident is part of a large-scale Mini Shai-Hulud campaign that compromised hundreds of npm and PyPI packages earlier this week.

The attack first targeted packages from TanStack and Mistral AI, then expanded to other projects like UiPath, Guardrails AI, and OpenSearch, using stolen CI/CD credentials and legitimate release workflows.

Security researchers from Socket and Aikido identified hundreds of tampered packages distributed through official repositories.

According to TanStack’s post-mortem report, attackers exploited vulnerabilities in the project’s GitHub Actions workflows and CI/CD setup to run malicious code, extract tokens from memory, and publish compromised packages through TanStack’s standard release process.

This method allowed the malicious versions to appear as legitimate releases.

The Mini Shai-Hulud malware was designed to steal developer and cloud credentials, such as GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and .env files.

Security experts note that the malware also ensured persistence on infected systems by altering Claude Code hooks and VS Code auto-run tasks, making it resilient even after package removal.

The malware propagated to other projects by leveraging stolen GitHub and npm credentials to hijack maintainer accounts, embed malicious code in package tarballs, and release new trojanized versions to repositories.

Microsoft Threat Intelligence also reported the deployment of a Linux-based information-stealing tool targeting systems with Russian-language software. The malware included a destructive component that could trigger a recursive wipe command on certain Israeli or Iranian systems.

OpenAI highlighted that this incident reflects a broader trend of attackers focusing on the software supply chain to achieve widespread impact across multiple organizations.

“Today’s software relies on a tightly interconnected network of open-source libraries, package managers, and CI/CD pipelines, meaning a single upstream vulnerability can rapidly spread across many organizations,” the company noted.