OpenAI confirms TanStack breach

OpenAI said on May 13 that a compromise of the TanStack npm library hit two employee devices and exposed some credential material from a limited set of internal code repositories. The company said it found no evidence that user data, production systems, intellectual property or software binaries were altered in the incident. The attack was part of a broader software supply-chain campaign known as “Mini Shai-Hulud,” according to OpenAI and outside security reporting. OpenAI said it hired a third-party digital forensics and incident response firm as it investigated. ### How did the attack reach OpenAI? OpenAI said TanStack was compromised on May 11, 2026 UTC, and that the malicious package was part of a wider campaign targeting open-source software dependencies. The company said the attack affected two devices in its corporate environment rather than its production infrastructure. SecurityWeek reported that more than 170 packages tied to the campaign were affected across npm and PyPI, with organizations including Mistral AI, UiPath and OpenSearch also named in reporting on the broader incident. (openai.com) That places OpenAI’s disclosure inside a larger supply-chain event rather than a standalone breach, according to the published reports. ### What data did OpenAI say was taken? OpenAI said investigators observed behavior consistent with the malware’s reported pattern, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories available to the two employees. The company said it confirmed that “only limited credential material” was successfully exfiltrated and that no other information or code in those repositories was affected. (securityweek.com) TechCrunch reported on May 14 that OpenAI characterized the incident as one in which “some data” was stolen from employee devices, while repeating the company’s statement that it found no evidence of access to user records, production systems or intellectual property. ### Did the incident affect ChatGPT users or OpenAI’s production systems? (openai.com) OpenAI said its investigation found no evidence that user data was accessed, that production systems were compromised, or that intellectual property was taken. The company also said its analysis had not identified misuse of the affected credentials or follow-on access by the threat actor after the initial compromise. (techcrunch.com) Those statements matter because the repositories touched in the incident included code-signing certificates for OpenAI products on iOS, macOS and Windows. OpenAI said the certificates were present in the impacted repositories even though investigators did not find evidence that software had been altered. ### Why are macOS users being told to update by June 12? (openai.com) OpenAI said it is rotating code-signing certificates “as a precaution,” and that the change requires all macOS users to update their OpenAI applications to the latest versions by June 12, 2026. The company said the step is meant to reduce the risk that someone could try to distribute a fake application that appears to come from OpenAI. The affected products listed in OpenAI’s notice include ChatGPT Desktop, Codex App, Codex CLI and Atlas. OpenAI said users should update through the in-app updater or the official download links on its site. ### What has OpenAI done since detecting the compromise? OpenAI said it isolated impacted systems and identities, revoked user sessions, rotated credentials across affected repositories, temporarily restricted code-deployment workflows and reviewed user and credential behavior. (openai.com) The company also said it brought in an outside incident-response firm as part of the investigation. BleepingComputer reported that the certificate rotation followed the company’s conclusion that two employees’ devices had been breached in the TanStack attack. That report also tied the incident to the broader package compromise affecting hundreds of npm and PyPI packages. ### What happens next? June 12, 2026 is the next concrete date in OpenAI’s response plan, because that is the deadline the company gave macOS users to install updated versions of its apps. (openai.com) OpenAI’s incident post remains the main public source for updates on the certificate rotation, the impacted products and any further remediation steps. (bleepingcomputer.com)