TanStack supply-chain hits OpenAI

OpenAI said on May 13 that a supply-chain attack involving poisoned TanStack npm packages reached two employee devices and led to the theft of a limited amount of internal credential material. The company said it found no evidence that user data, production systems, intellectual property or deployed software were compromised. The incident was part of a broader campaign known as Mini Shai-Hulud, which security researchers said spread through legitimate open-source release pipelines rather than fake lookalike packages. OpenAI said the affected source-code repositories included code-signing certificates for some products, triggering emergency certificate rotation and a forced update path for macOS users. ### How did the attack get from TanStack into OpenAI’s environment? TanStack packages were compromised on May 11, 2026, when 84 malicious npm artifacts were published across 42 packages in the @tanstack namespace, according to GitHub’s advisory database and security researchers tracking the campaign. The malicious versions were published through TanStack’s legitimate release pipeline, researchers said, after attackers hijacked the workflow rather than simply stealing a maintainer password. (openai.com) OpenAI said May 11 was also the date its own exposure began. The company said two employee devices in its corporate environment were impacted after the compromised library was pulled in, and that it observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration from a limited subset of internal repositories those employees could reach. (github.com) ### What exactly did OpenAI say the attackers got? OpenAI said only “limited credential material” was successfully exfiltrated from the affected repositories. The company said it isolated impacted systems and identities, revoked user sessions, rotated credentials across affected repositories, temporarily restricted code-deployment workflows and reviewed user and credential behavior. (openai.com) The company also said the impacted repositories contained signing certificates for products including iOS, macOS and Windows. OpenAI said it had not identified misuse of the affected credentials or follow-on access by the threat actor, but it rotated code-signing certificates as a precaution because those certificates help operating systems determine whether software is authentic. (openai.com) ### Why are Mac users being told to update by June 12? OpenAI said on May 13 that macOS users must update OpenAI apps by June 12, 2026, because the company is replacing security certificates tied to its desktop software. The company said the change is meant to reduce the risk that someone could try to distribute a fake app that appears to come from OpenAI. (openai.com) OpenAI named ChatGPT Desktop, Codex App, Codex CLI and Atlas as the products that can be updated through in-app updates or official download links. Reporting on the disclosure said the forced update stems from certificate rotation after the compromised repositories were found to include signing material. ### What made this TanStack incident different from a routine bad package? (openai.com) Security researchers at Snyk and StepSecurity said the malicious TanStack packages carried valid SLSA provenance attestations because the attackers hijacked the legitimate build pipeline itself. That meant the packages appeared to have been built by a trusted process even though the code being shipped was malicious. (openai.com) GitHub’s advisory described the attack chain as a combination of a pull_request_target “Pwn Request,” GitHub Actions cache poisoning and OIDC token extraction from runner memory. StepSecurity said the worm then used stolen CI/CD secrets to spread into other maintainers’ packages, extending the campaign beyond TanStack to other software publishers. ### What did OpenAI say was not affected? (snyk.io) OpenAI said it found no evidence that customer data was accessed, that production systems or intellectual property were compromised, or that its software was altered. The company said its investigation included work with a third-party digital forensics and incident response firm. Security researchers tracking Mini Shai-Hulud said any environment that installed one of the affected versions should be treated as compromised until secrets are rotated and systems are reviewed. (github.com) That guidance comes from the campaign’s focus on credential theft and lateral spread through developer tooling and CI/CD infrastructure. ### What happens next for users and defenders? (openai.com) June 12, 2026, is the concrete next deadline in OpenAI’s response. By that date, macOS users need updated versions of ChatGPT Desktop, Codex App, Codex CLI and Atlas signed with the new certificates, while companies that installed affected TanStack versions are expected to finish secret rotation and host review tied to CVE-2026-45321 and GitHub advisory GHSA-g7cv-rxg3-hmpx. (openai.com) (snyk.io)