OpenAI Targeted in TanStack npm Supply Chain Attack: What You Need to Know
- May 16
- 3 min read
Key Findings
OpenAI confirmed that two employee devices were compromised in the TanStack supply chain attack, exposing limited credential material from internal source code repositories
The TeamPCP hacking group distributed 84 malicious packages through the TanStack ecosystem using the Mini Shai-Hulud worm, which exploited GitHub Actions OIDC tokens and generated valid SLSA Level 3 attestations
Code-signing certificates for iOS, macOS, Windows, and Android applications were exposed, prompting OpenAI to revoke and re-sign affected software
macOS users must update their OpenAI applications before June 12, 2026, or the software may stop functioning
No customer data, production systems, intellectual property, or deployed software were compromised
The incident highlights a broader threat landscape shift toward targeting shared software dependencies rather than individual companies
Background
The Mini Shai-Hulud worm campaign represents a sophisticated supply chain attack that exploited weaknesses in open source package publishing processes. TeamPCP initially compromised legitimate npm packages through hijacked GitHub Actions OIDC tokens, then spread to other projects including UiPath, DraftLab, and others. The malware generated valid SLSA Level 3 attestations, making malicious packages appear legitimate to developers and security systems alike.
Attack Vector and Scope
The malware targeted over 100 credential locations within CI/CD environments, including GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and environment files. Beyond credential theft, the worm installed persistence mechanisms in developer tools like VS Code and Claude Code, allowing it to survive package removal and spread automatically to other packages controlled by compromised maintainers. The campaign ultimately affected hundreds of npm and PyPI packages across multiple organizations.
Impact on OpenAI
Two OpenAI employee devices downloaded malicious packages linked to the Mini Shai-Hulud campaign, resulting in unauthorized access and credential exfiltration from a limited subset of internal source code repositories. The compromised repositories included code-signing certificates used across OpenAI's iOS, macOS, Windows, and Android applications. However, OpenAI confirmed that only limited credential material was successfully exfiltrated and no other information, code, or customer data was impacted.
Response and Remediation
OpenAI immediately rotated all exposed credentials, revoked active sessions, and temporarily tightened restrictions around code deployment workflows. The company revoked all compromised code-signing certificates and began re-signing affected software packages. Security teams reviewed all previous software notarizations to confirm no unauthorized signing occurred and validated that published software contained no unauthorized modifications. The company also coordinated with platform providers to block any attempts to abuse stolen certificates for malicious notarization.
macOS Update Requirement
Because Apple's notarization process requires current certificates to launch applications and deliver updates, OpenAI is requiring macOS users to update to the latest version of OpenAI applications before June 12, 2026. After this date, software signed with the older certificates may stop receiving updates and could eventually stop functioning. Windows and iOS users are not affected and require no action. This precautionary measure prevents any potential risk of someone distributing a fake OpenAI application using the stolen certificates.
Broader Implications
OpenAI noted that this incident occurred during an ongoing migration to hardened configurations introduced after an earlier Axios supply chain attack. The two infected employee devices had not yet received the updated protections that likely would have prevented the malicious package downloads. The company emphasized that this breach reflects a significant shift in the threat landscape, with attackers increasingly targeting shared software dependencies and development tooling rather than attacking single companies directly.
Sources
https://securityaffairs.com/192222/hacking/openai-hit-by-supply-chain-attack-linked-to-malicious-tanstack-packages.html
https://www.bleepingcomputer.com/news/security/openai-confirms-security-breach-in-tanstack-supply-chain-attack/
https://www.theregister.com/security/2026/05/15/openai-caught-in-tanstack-npm-supply-chain-chaos-after-employee-devices-compromised/5241019
https://therecord.media/openai-asks-macos-users-to-update-tanstack-npm

Comments