OpenAI Confirms Security Breach from TanStack npm Attack

Two employee devices at OpenAI were compromised during a widespread software supply chain attack targeting TanStack npm. Despite this infiltration, the artificial intelligence company has confirmed that no user data, production systems, or intellectual property were affected.

On May 11, 2026 UTC, threat actors launched a campaign dubbed “Mini Shai-Hulud” a coordinated supply chain offensive orchestrated by the TeamPCP extortion gang.

The attackers injected malicious code into TanStack, a widely used open-source JavaScript library, by abusing weaknesses in the project’s GitHub Actions workflows and CI/CD configuration.

This allowed malicious package versions to be published directly through TanStack’s legitimate release pipeline, making them appear entirely trustworthy to consuming systems.

OpenAI Confirms Security Breach

OpenAI’s corporate environment ingested the compromised package before updated security controls were in place, resulting in two employee workstations being silently infected.

OpenAI’s investigation, supported by a third-party digital forensics and incident response firm, identified credential-focused exfiltration activity across a limited subset of internal source code repositories that the two impacted employees could access.

Only limited credential material was successfully exfiltrated; no customer data, intellectual property, or production code was altered or stolen.

Critically, the impacted repositories contained code-signing certificates for OpenAI products across iOS, macOS, Windows, and Android platforms. While no evidence of certificate misuse was detected, OpenAI is rotating all signing certificates as a precautionary measure.

OpenAI moved quickly to contain the damage upon detecting malicious activity:

• Isolated impacted systems and identities
• Revoked all active user sessions on affected accounts
• Rotated credentials across all impacted repositories
• Temporarily restricted code-deployment workflows
• Engaged a third-party incident response firm for forensic analysis
• Coordinated with platform providers to block new notarizations using the old certificates

Because the compromised repositories included macOS code-signing certificates, all macOS users must update their OpenAI apps before June 12, 2026.

Affected applications include ChatGPT Desktop (last version: 1.2026.125), Codex App (26.506.31421), Codex CLI (0.130.0), and Atlas (1.2026.119.1).

After June 12, 2026, Apple’s macOS security protections will block any app still signed with the old certificate from launching or receiving updates. Windows and iOS users do not need to take any action.

Users should only download updates through in-app mechanisms or official OpenAI pages and must avoid third-party download sites, email links, or unsolicited installers posing as OpenAI software.

The Mini Shai-Hulud campaign extended far beyond OpenAI, compromising hundreds of npm and PyPI packages from projects including Mistral AI, UiPath, Guardrails AI, and OpenSearch.

The malware specifically targeted developer and cloud credentials, GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and .env files weaponizing the very tools modern DevOps teams depend on daily.

This incident follows OpenAI’s earlier Axios developer tool compromise, after which the company began deploying hardened CI/CD pipeline controls and package manager configurations with security constraints like minimumReleaseAge.

The two compromised devices had not yet received those updated configurations, a gap the attackers exploited.

OpenAI’s breach underscores a stark industry reality: the modern software supply chain is an attack surface. As organizations build on deeply interconnected open-source ecosystems, a single upstream compromise can silently propagate across hundreds of downstream targets within hours.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.