TanStack supply-chain attack hits two OpenAI devices

OpenAI said on May 13 that two employee devices were affected by a supply-chain attack tied to compromised TanStack npm packages, turning a broader open-source incident into a customer-facing software update for the company’s macOS apps. The company said it found no evidence that user data was accessed, that production systems or intellectual property were compromised, or that its software was altered. The incident still forced OpenAI to rotate code-signing certificates tied to several products after investigators found limited credential theft from internal repositories. OpenAI said macOS users must update ChatGPT Desktop, Codex App, Codex CLI and Atlas by June 12, 2026. ### How did a problem in TanStack reach OpenAI employees’ machines? TanStack’s own advisory said that on May 11, 2026, between about 19:20 and 19:26 UTC, 84 malicious versions across 42 `@tanstack/*` packages were published to npm. The advisory said the attacker used TanStack’s legitimate GitHub Actions trusted-publisher path and chained several weaknesses, including a `pull_request_target` misconfiguration, cache poisoning and extraction of an OIDC token from a runner process. (openai.com) OpenAI said the compromised library was part of a wider campaign known as “Mini Shai-Hulud.” The company said two employee devices in its corporate environment were impacted after the malicious packages were pulled into internal workflows, and that it moved to investigate and contain the activity once it was identified. ### What did the attackers get inside OpenAI? (github.com) OpenAI said its investigation found activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration from a limited subset of internal source-code repositories that the two employees could access. The company said only limited credential material was successfully exfiltrated and that no other information or code was affected. (openai.com) Security Week and BleepingComputer, citing OpenAI’s disclosure, reported that the affected repositories included code-signing certificates for products across macOS, iOS and Windows. OpenAI said its analysis had not identified misuse of the impacted credentials or any follow-on access by the threat actor. ### Why are Mac users being told to update apps now? (openai.com) OpenAI said the impacted repositories included signing certificates for its products, and that it is rotating those certificates as a precaution. The company said that step requires all macOS users to update their OpenAI applications to the latest versions to reduce the risk that someone could try to distribute a fake app appearing to come from OpenAI. (openai.com) The affected macOS apps are ChatGPT Desktop, Codex App, Codex CLI and Atlas, according to OpenAI’s notice. TechRepublic, citing the same company post, reported that users have until June 12 to install updated versions. ### What did OpenAI say it did after finding the intrusion? OpenAI said it engaged a third-party digital forensics and incident response firm as part of the investigation. (openai.com) The company said it isolated impacted systems and identities, revoked user sessions, rotated credentials across affected repositories, temporarily restricted code-deployment workflows and reviewed user and credential behavior. The Register reported that the incident occurred during a phased rollout of new supply-chain security controls that had been introduced after an earlier Axios-related incident, and that the two affected devices had not yet received package-management protections that would have blocked the malicious dependency. That detail was attributed by the publication to OpenAI. (openai.com) ### How broad was the TanStack compromise beyond OpenAI? GitHub’s advisory and Snyk’s write-up said the TanStack incident was part of a wider malware campaign that pushed credential-stealing code into trusted software pipelines. BleepingComputer and SecurityWeek reported that researchers linked the activity to the “Mini Shai-Hulud” campaign, which has affected packages beyond TanStack as investigators traced similar compromises across npm and PyPI ecosystems. (theregister.com) Wiz said one of the affected TanStack packages, `@tanstack/react-router`, is among the more widely used React routing libraries, with about 12 million weekly downloads. That scale helps explain why a compromise in a single namespace drew rapid attention from security firms, software vendors and companies that consumed the packages. (github.com) ### What should developers and users watch next? June 12, 2026 is the deadline OpenAI gave macOS users to update the affected apps. TanStack’s GitHub advisory lists patched versions for the compromised packages, and OpenAI’s security page says users should update through in-app mechanisms or official download links rather than third-party sources. (openai.com) (wiz.io)