OpenAI Compromised in TanStack Supply Chain Attack; macOS Updates Required
OpenAI has been forced to rotate code-signing certificates and update several desktop applications after a supply chain attack on the TanStack library led to the compromise of two employee devices and the exfiltration of internal credentials.
OpenAI has confirmed that two of its employee devices were compromised as part of a widespread supply chain attack targeting the TanStack open-source library. The breach, which occurred on May 11, allowed attackers to exfiltrate limited credential material from internal source code repositories accessible by the affected machines. OpenAI stated that no customer data, production systems, or intellectual property were compromised during the incident The Hacker News SecurityWeek.
The attack was part of a broader campaign known as "Mini Shai-Hulud," orchestrated by a threat group identified as TeamPCP. The attackers successfully published 84 malicious artifacts across 42 TanStack packages by exploiting vulnerabilities in the project's package publishing process. TanStack noted that the attackers engineered a path to steal publishing tokens directly from their CI pipeline by leveraging a trusted cache The Hacker News. The malicious packages were designed to deploy the Shai-Hulud worm, a modular malware framework capable of harvesting GitHub tokens, cloud secrets, and other developer credentials The Register SecurityWeek.
OpenAI reported that the two impacted employee devices had not yet been updated with new, hardened supply chain security controls—a phased rollout initiated following a separate supply chain incident involving the Axios library in late March 2026 SecurityWeek The Register. Upon discovering the breach, OpenAI isolated the affected systems, revoked user sessions, and rotated credentials across the impacted repositories The Hacker News.
As a precautionary measure, OpenAI is revoking and replacing code-signing certificates that were present in the compromised repositories. This affects macOS versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas. Users of these applications are required to update to the latest versions before June 12, 2026, at which point the old certificates will be invalidated, potentially preventing the apps from launching or receiving further updates The Hacker News SecurityWeek.
The incident highlights a significant escalation in supply chain threats. TeamPCP has recently released the source code for the Shai-Hulud worm and launched a "supply chain attack contest" on BreachForums, offering monetary rewards for successful compromises SecurityWeek. Security researchers warn that this move lowers the barrier for entry for other threat actors and is likely to result in a surge of mutated, harder-to-detect supply chain attacks SecurityWeek.
This event underscores the growing risk to the interconnected software ecosystem, where vulnerabilities in upstream dependencies can be weaponized to bypass internal security perimeters. As attackers increasingly target developer infrastructure and CI/CD pipelines, organizations are being urged to treat these environments as critical production-grade attack surfaces, implement strict OIDC trusted publishing, and monitor package installation behavior closely SecurityWeek.