OpenAI hit by npm supply‑chain incident

OpenAI said on May 13 that a supply-chain attack involving poisoned TanStack npm packages reached two employee devices inside its corporate environment and led to the theft of a limited amount of internal credential material. The company said it found no evidence that user data, production systems, intellectual property or deployed software were compromised. OpenAI said the affected repositories included code-signing certificates for several products, prompting the company to rotate those certificates and require macOS users to update affected apps by June 12, 2026. The disclosure ties OpenAI to a wider malware campaign known as Mini Shai-Hulud that has spread through npm and developer tooling in recent days. ### How did OpenAI say the compromise reached its network? OpenAI said the incident began on May 11, 2026 UTC, when TanStack packages were compromised as part of the broader Mini Shai-Hulud campaign. The company said two employee devices were affected after the malicious dependency reached systems in its corporate environment. OpenAI said it engaged a third-party digital forensics and incident response firm after detecting the activity. (openai.com) The Register reported on May 15 that the two compromised devices had not yet received updated package-management protections that OpenAI had been rolling out after an earlier Axios-related incident. That detail came from OpenAI’s account of the event, as reported by the publication. ### What exactly did the attackers get? (openai.com) OpenAI said it observed unauthorized access and “credential-focused exfiltration activity” in a limited subset of internal source-code repositories that the two affected employees could reach. The company said only limited credential material was successfully exfiltrated and that no other information or code was impacted. (theregister.com) SecurityWeek reported on May 15 that the compromised repositories contained code-signing certificates for iOS, macOS, Windows and Android products. OpenAI’s own post said the impacted repositories included signing certificates for its products, including iOS, macOS and Windows. ### What did OpenAI say was not affected? OpenAI said its investigation found no evidence that customer data was impacted and no evidence that its intellectual property was compromised. (openai.com) The company also said its analysis had not identified misuse of the affected credentials or follow-on access by the threat actor. The Register reported that OpenAI said there was no evidence that production systems or deployed software were compromised. (securityweek.com) That matches OpenAI’s public statement that it had not found evidence its software was altered. ### What is TanStack, and how broad was the upstream attack? TanStack is a widely used open-source web development library, and OpenAI said its incident was part of the broader Mini Shai-Hulud software supply-chain attack. (openai.com) Socket said it detected 84 compromised npm artifacts in the TanStack namespace, while Snyk and TanStack’s GitHub advisory said 84 malicious versions were published across 42 packages on May 11. (theregister.com) TanStack’s GitHub advisory said the malicious packages were published between about 19:20 and 19:26 UTC and were authenticated through a legitimate GitHub Actions trusted-publisher binding. The advisory said the publish workflow itself was not modified, and described the chain as involving pull_request_target abuse, GitHub Actions cache poisoning and extraction of an OIDC token from runner memory. (openai.com) ### What did OpenAI do after finding the intrusion? OpenAI said it isolated the affected systems and identities, revoked user sessions, rotated all credentials across the impacted repositories and temporarily restricted code-deployment workflows. The company said it also scrutinized user and credential behavior as part of containment. PCMag and other outlets reported that OpenAI also moved to rotate code-signing certificates for its applications as a precaution. (github.com) OpenAI said the certificate changes are meant to reduce any risk that someone could distribute a fake app appearing to come from the company. ### Which users need to act now? OpenAI said macOS users of ChatGPT Desktop, Codex App, Codex CLI and Atlas must update to the latest versions by June 12, 2026. (openai.com) The company said the deadline is tied to the certificate rotation required after signing certificates were exposed in the affected repositories. SecurityWeek reported that after June 12, affected macOS products may stop functioning properly or stop receiving updates if users do not install the new versions. (pcmag.com) OpenAI’s post directs users to update through in-app updates or official download links. (securityweek.com) (openai.com)