OpenAI confirms data breach from TanStack npm supply chain attack
Key Takeaways OpenAI confirmed that two employee devices were compromised as part of a broader supply chain attack targeting the TanStack npm library. The breach allowed limited exfiltration of...
Key Takeaways
- OpenAI confirmed that two employee devices were compromised as part of a broader supply chain attack targeting the TanStack npm library.
- The breach allowed limited exfiltration of credential material from internal source code repositories, including code-signing certificates for OpenAI products.
- No customer data, intellectual property, or production systems were affected, but macOS users must update their OpenAI applications by June 12, 2026.
- The “Mini Shai-Hulud” campaign, orchestrated by TeamPCP, leveraged weaknesses in GitHub Actions and CI/CD configurations to inject malicious code into open-source packages.
OpenAI Employee Devices Compromised in TanStack Supply Chain Attack
OpenAI has confirmed that two employee workstations were infiltrated during a widespread software supply chain attack that targeted the popular TanStack npm JavaScript library. Despite the breach, the artificial intelligence giant stated that no user data, production systems, or core intellectual property were compromised.
Table Of Content
The incident is part of a sophisticated campaign dubbed “Mini Shai-Hulud,” launched on May 11, 2026 UTC, by the extortion group TeamPCP. The attackers exploited vulnerabilities within TanStack’s GitHub Actions workflows and CI/CD configurations to inject malicious code directly into the library’s release pipeline. This tactic allowed the compromised package versions to appear legitimate and trustworthy to consuming systems, facilitating their silent propagation.
Details of the OpenAI Breach
OpenAI’s internal environment ingested the compromised TanStack package before updated security controls could be fully deployed, leading to the infection of two employee devices. An investigation by OpenAI, supported by a third-party digital forensics and incident response firm, uncovered credential-focused exfiltration attempts from a limited number of internal source code repositories accessible by the two impacted employees.
While some credential material was successfully exfiltrated, OpenAI emphasized that no customer data, intellectual property, or production code was altered, stolen, or accessed beyond the limited scope. Crucially, the affected repositories contained code-signing certificates for OpenAI applications across iOS, macOS, Windows, and Android platforms. Although no evidence of certificate misuse has been found, OpenAI is rotating all signing certificates as a proactive security measure.
OpenAI’s Incident Response Actions
Upon detecting the malicious activity, OpenAI initiated a rapid response to contain the breach:
- Impacted systems and user identities were immediately isolated.
- All active user sessions on affected accounts were revoked.
- Credentials across all compromised repositories were rotated.
- Code-deployment workflows were temporarily restricted.
- A third-party incident response firm was engaged for comprehensive forensic analysis.
- Coordination with platform providers was undertaken to block new notarizations using the old certificates.
Mandatory macOS App Updates
Due to the compromise of macOS code-signing certificates, all macOS users of OpenAI applications are required to update their software before June 12, 2026. After this date, Apple’s macOS security features will prevent any application still signed with the old certificates from launching or receiving further updates. Affected applications include ChatGPT Desktop (version 1.2026.125), Codex App (26.506.31421), Codex CLI (0.130.0), and Atlas (1.2026.119.1). Users on Windows and iOS platforms are not required to take any action.
OpenAI advises users to obtain updates exclusively through official in-app mechanisms or authorized OpenAI web pages, cautioning against downloading software from third-party sites, email links, or unsolicited installers.
Broader Impact of Mini Shai-Hulud
The “Mini Shai-Hulud” campaign extended beyond OpenAI, successfully compromising hundreds of npm and PyPI packages from various projects, including Mistral AI, UiPath, Guardrails AI, and OpenSearch. The malware specifically targeted sensitive developer and cloud credentials, such as GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and .env files, effectively weaponizing the very tools essential for modern DevOps operations.
This incident follows a previous compromise involving OpenAI’s Axios developer tool, which prompted the company to implement hardened CI/CD pipeline controls and package manager configurations with security constraints like minimumReleaseAge. The two devices affected in the TanStack attack had not yet received these updated security configurations, a lapse exploited by the attackers. The breach at OpenAI serves as a stark reminder of the inherent risks in the modern software supply chain, where a single upstream compromise can rapidly propagate across numerous downstream targets.
What You Should Do
- Update macOS OpenAI Applications: If you are a macOS user of OpenAI applications, update your software (ChatGPT Desktop, Codex App, Codex CLI, Atlas) immediately through official channels before June 12, 2026.
- Verify Update Sources: Always download software updates directly from official in-app mechanisms or OpenAI’s official website. Avoid third-party download sites, email links, or unsolicited installers.
- Monitor for Suspicious Activity: Organizations should enhance monitoring for unusual activity related to developer credentials, GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and
.envfiles. - Strengthen Supply Chain Security: Implement and enforce robust CI/CD pipeline controls, package manager configurations with security constraints (e.g.,
minimumReleaseAge), and regular security audits of open-source dependencies. - Rotate Credentials: Regularly rotate critical developer and cloud credentials, especially those associated with CI/CD pipelines and package publishing.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.