OpenAI — two employee devices compromised in TanStack npm supply-chain attack
Two OpenAI staff devices compromised by poisoned @tanstack npm packages; limited credentials exfiltrated and OpenAI is re-signing all desktop and mobile applications.
- Target
- OpenAI — two employee devices compromised in TanStack npm supply-chain attack
- Date public
- 29 May 2026
- Sector
- Technology
- Attack type
- Supply Chain
- Threat actor
- TeamPCP (Mini Shai-Hulud campaign)
- Severity
- High
- Region
- Global
On 11 May 2026 the Mini Shai-Hulud worm — the TeamPCP-derived npm supply-chain campaign already responsible for the Bitwarden CLI and GitHub internal repos compromises — pushed 84 trojanised package versions across 42 @tanstack/* releases. OpenAI confirmed on 29 May that two employee devices in its corporate environment installed the poisoned releases and were compromised before detection.
OpenAI’s own incident statement is unusually specific. The malware behaved as publicly described: credential-focused exfiltration from local secrets stores plus directory walks across the obvious developer locations. The company says a limited amount of credential material was successfully exfiltrated from a small subset of internal source-code repositories the two staff members had access to, and that nothing else of consequence was taken. No customer data, no production systems, no intellectual property, and no shipped code were impacted on the current evidence.
The cost is in the cleanup, not the loss. OpenAI’s signing keys for Windows, macOS, iOS and Android were among the credentials the attackers reached. As a result the company is re-signing every desktop and mobile application it ships and revoking the old certificates. macOS users have a hard deadline of 12 June 2026: after that, applications signed with the previous certificate will be blocked by macOS Gatekeeper at launch. The company has also accelerated CI/CD credential hardening, deployed npm minimumReleaseAge and provenance controls, and added package-validation tooling for engineer workstations.
The interesting story is not OpenAI specifically; it is what two compromised laptops were sufficient to reach. A poisoned third-party npm package, installed once during a routine workday, put an attacker close enough to the application-signing pipeline that every shipped artefact has to be re-issued. A deep-dive will follow once OpenAI publishes more on the access chain from compromised dev workstation to signing material, and once researchers finish characterising the Mini Shai-Hulud variant used in this wave.
Sources
- OpenAI — Our response to the TanStack npm supply chain attack // primary
- BleepingComputer — OpenAI confirms security breach in TanStack supply chain attack // reporting
- The Record — OpenAI asks macOS users to update after TanStack npm supply chain attack // reporting
- The Hacker News — TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates // reporting
- The Register — OpenAI caught in TanStack npm supply chain chaos after employee devices compromised // reporting