OpenAI has revealed that two of its employees’ devices within its corporate network were affected by the Mini Shai-Hulud supply chain assault on TanStack. However, the company emphasized that no user data, production systems, or intellectual property were breached or tampered with without authorization.
“As soon as we detected the malicious activity, we moved swiftly to investigate, contain, and implement measures to safeguard our systems,” OpenAI stated. “We identified patterns matching the malware’s publicly documented behavior, including unauthorized entry and credential-related data theft, within a restricted set of internal source code repositories accessible to the two affected employees.”
The AI startup confirmed that only a small amount of credential data was successfully extracted from these code repositories, stressing that no other code or information was touched.
After being notified of the incident, OpenAI said it quarantined compromised systems and accounts, terminated active user sessions, reset all credentials tied to the affected repositories, temporarily suspended code-deployment processes, and conducted a thorough audit of user and credential activity.
Given that the impacted repositories contained signing certificates for iOS, macOS, and Windows products, the company chose to revoke those certificates and generate new ones. Consequently, macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas must update their applications to the newest versions.
“This step helps eliminate any potential risk—however slim—of someone trying to distribute a counterfeit app impersonating OpenAI,” OpenAI explained. “Windows and iOS users do not need to take any action.”
The certificates are set to be revoked on June 12, 2026. After this date, downloads and launches of apps signed with the old certificate will be blocked by macOS’s built-in security features. Users are encouraged to install the updates before the cutoff date for the strongest level of protection.
This marks the second time in just a few months that OpenAI has had to rotate its macOS code-signing certificates. In mid-April 2026, the company performed a similar rotation after a GitHub Actions workflow used to sign its macOS apps inadvertently downloaded the malicious Axios library on March 31. That library had been compromised by a North Korean hacking outfit known as UNC1069.
“This incident highlights a wider shift in the threat landscape: attackers are increasingly going after shared software dependencies and development tooling rather than targeting any individual company,” OpenAI noted.
“Today’s software is constructed on a tightly woven network of open-source libraries, package managers, and continuous integration/deployment pipelines. As a result, a single vulnerability introduced upstream can spread rapidly and widely across multiple organizations.”
This development follows closely on the heels of TeamPCP announcing a string of new victims, having compromised hundreds of packages linked to TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. These actions are part of an ongoing supply chain attack campaign engineered to deliver malware to downstream developers and harvest credentials from their systems, further expanding the reach of the breaches.
“To be clear, no maintainer was tricked through phishing, and no passwords or tokens were stolen from their accounts,” TanStack explained. “The attacker devised a scheme where our own CI pipeline handed over its own publishing token to them—at the exact instant it was generated—through a cache that every participant in the chain implicitly trusted. It’s an elaborate tactic that we didn’t foresee, and one we’re treating with the utmost seriousness.”
TeamPCP has since launched a supply chain attack competition in collaboration with the Breached cybercrime forum, offering $1,000 in Monero to anyone who can compromise open-source packages using the Shai-Hulud worm, which the group has freely shared. The hacking team has also threatened to leak roughly 5GB of Mistral AI’s internal source code, requesting a $25,000 buy-it-now price from interested buyers.
“We are seeking a $25k BIN, or they can pay this amount and we will permanently destroy these files. We’ll sell only to the top bidder, limited to one buyer. If we can’t find a purchaser within a week, we’ll leak everything for free on the forums,” TeamPCP posted.
In an updated security advisory, Mistral AI confirmed it had fallen victim to a supply chain attack stemming from the TanStack compromise, which resulted in the release of tampered versions of its npm and PyPI SDKs. The company also confirmed that one developer device was affected in the breach. There is no evidence to suggest that its broader infrastructure was penetrated.
An in-depth analysis of the modular Python toolkit deployed to Linux systems through the guardrails-ai and mistralai packages revealed that the primary command-and-control (C2) server address (“83.142.209[.]194”) is hard-coded into the malware. Should the primary C2 server become inaccessible, it activates a backup mechanism named FIRESCALE.
“When the main C2 server is unreachable, the malware scans every public GitHub commit message worldwide for an alternative server URL, which it validates using an embedded 4096-bit RSA key,” Hunt.io reported. “Stolen data is exfiltrated through three sequential channels: the primary C2 server, the FIRESCALE dead-drop redirect, and the victim’s own GitHub repository. Disrupting any single pathway still leaves the other two operational.”
The cybersecurity firm also disclosed that the collection module responsible for stealing Amazon Web Services (AWS) credentials targets all 19 availability zones, including us-gov-east-1 (AWS GovCloud – US East) and us-gov-west-1 (AWS GovCloud – US West), which are reserved exclusively for U.S. government agencies and defense contractors.
Another distinctive feature of the campaign is its destructive payload. On machines located in Israel or Iran, there is a 1-in-6 chance that a routine will trigger audio playback at full volume before wiping every accessible file. The malware also resides on systems configured with a Russian locale setting.
The targeted destructive behavior aimed at specific regions echoes the “kamikaze” wiper that TeamPCP previously deployed against Iran-based Kubernetes clusters during an earlier supply chain attack that distributed a self-replicating worm called CanisterWorm. These repeated attacks suggest a deliberate, coordinated operation rather than opportunistic activity.
But there’s more. A closer inspection of the attacker-controlled infrastructure uncovered that three different IP addresses within the 83.142.209[.]0/24 subnet operated as C2 servers:
83.142.209[.]194
, 83.142.209[.]11, and 83.142.209[.]203. The latter two were previously used in the
March 2026 supply chain attacks
targeting
Checkmarx
and
Telnyx
, respectively.
“Both C2 addresses—83.142.209[.]194 and 83.142.209[.]203—were first detected with active SSH services on November 15 and 21, 2025, approximately four months before the TanStack attack became public,” said Esteban Borges, head of research at Hunt.io, in an email to The Hacker News. “The 83.142.209[.]0/24 block was set up during TeamPCP’s pre-attack preparation phase and kept inactive to build a clean operational history before being put into use. This practice of aging infrastructure is fairly typical among organized threat groups.”
“That same subnet appeared across every major TeamPCP wave we tracked through May 2026—not only in the TanStack and FIRESCALE incidents, but also in the LiteLLM PyPI compromise, the Trivy scanner hijack via GitHub Actions, the Checkmarx KICS attack, and the Jenkins AST Plugin backdoor in May.”
Hunt.io further noted that the FIRESCALE tool and the modular Python malware represent at least four distinct payloads linked to this infrastructure. These include an earlier version of the TeamPCP Cloud Stealer targeting CI/CD runner secrets, a cryptocurrency miner from the December 2025 exploitation phase, and VECT ransomware launched in late March 2026 using credentials harvested by previous tools.
“The toolkit is more powerful, more resilient, and more advanced,” Hunt.io assessed. “In addition to credential files, the malware captures every environment variable on the machine, reads all SSH keys and configuration files, traverses the entire home directory searching for dotenv files, and extracts credentials from running Docker containers.”
(This article was revised after publication on May 16, 2026, to include additional insights from Hunt.io)
