OpenAI says two employee devices were hit in TanStack npm supply chain attack

OpenAI has confirmed that two employee devices in its corporate environment were impacted by the TanStack npm supply chain attack, but the company says it found no evidence that user data, production systems, intellectual property, or OpenAI software were compromised.

The incident stems from Mini Shai-Hulud, a broader software supply chain campaign that compromised packages in the npm ecosystem. OpenAI said the attack involved a common open-source library and led to credential-focused exfiltration activity from a limited subset of internal source code repositories accessible to the affected employees.

OpenAI has rotated credentials, isolated impacted systems, restricted deployment workflows, and started rotating code-signing certificates as a precaution. The company is also asking macOS users to update affected OpenAI apps before June 12, 2026.

What OpenAI confirmed

OpenAI said it detected activity consistent with the publicly described TanStack malware. The company also engaged a third-party digital forensics and incident response firm to support its investigation.

The company said only limited credential material was successfully exfiltrated from affected repositories. It also said it found no evidence of customer data exposure, follow-on access, misuse of impacted credentials, or unauthorized changes to published software.

The affected repositories included signing material for OpenAI products. Because of that, OpenAI is rotating certificates and coordinating with platform providers to stop new notarizations using the old material.

Item	Details
Incident	TanStack npm supply chain compromise
Campaign name	Mini Shai-Hulud
OpenAI impact	Two employee devices in the corporate environment
User data impact	No evidence of access or exposure
Production systems	No evidence of compromise
OpenAI software	No evidence of unauthorized modification
Main user action	macOS users should update OpenAI apps before June 12, 2026

Why macOS users need to update OpenAI apps

OpenAI is updating its security certificates to reduce the risk of attackers distributing fake apps that appear to come from OpenAI. The company says it has not found evidence of malicious software signed with its certificates.

Mac users should update through in-app update prompts or official OpenAI download pages. OpenAI specifically warned users not to install apps from email links, ads, messages, file-sharing links, or third-party download sites.

After June 12, 2026, older macOS OpenAI apps signed with the previous certificate may no longer work properly. OpenAI says Windows and iOS users do not need to take action, although the company is re-signing apps across platforms.

• ChatGPT Desktop last old-certificate version: 1.2026.125
• Codex App last old-certificate version: 26.506.31421
• Codex CLI last old-certificate version: 0.130.0
• Atlas last old-certificate version: 1.2026.119.1

How the TanStack attack happened

TanStack said the attack took place on May 11, 2026, between 19:20 and 19:26 UTC. Attackers published 84 malicious versions across 42 packages in the TanStack Router and Start ecosystem.

The attackers did not steal npm tokens, according to TanStack. Instead, they chained several weaknesses involving GitHub Actions, cache poisoning, and trusted publisher authentication to push malicious package versions through a trusted release path.

That made the malicious releases especially dangerous. Developers and automated systems could have installed the packages through normal npm, pnpm, or yarn workflows without seeing an obvious warning at install time.

What the malware tried to steal

The TanStack advisory describes the payload as credential-stealing malware. It ran during package installation and looked for secrets commonly found on developer workstations and CI environments.

The malware targeted cloud credentials, GitHub tokens, npm tokens, SSH keys, Kubernetes service account tokens, HashiCorp Vault tokens, and other sensitive developer materials. It also had self-propagation behavior, which could help compromised accounts spread malicious versions to other packages.

Security teams should treat any host that installed affected TanStack versions during the attack window as potentially compromised. That includes local developer machines and CI runners.

• Rotate cloud credentials exposed to the affected host.
• Rotate GitHub, npm, SSH, Kubernetes, and Vault secrets.
• Delete node_modules and lockfiles before reinstalling clean dependencies.
• Review package versions installed around May 11, 2026.
• Check cloud and source control logs for unusual activity.

TanStack says current packages are safe to install

TanStack says the affected versions were deprecated quickly, and npm removed the malicious tarballs from the registry shortly after the attack. The project later issued an all-clear after a security sweep and hardening process.

The project said only the Router and Start repo was affected. Other TanStack package families, including Query, Table, Form, Store, Virtual, DB, AI, and Devtools, were not affected by this specific compromise.

Developers should still review lockfiles and build logs if their systems installed TanStack Router or Start packages during the compromise window. A clean package state now does not automatically clear credentials that may have already been exposed earlier.

OpenAI links the incident to a wider supply chain threat

OpenAI said the attack shows how modern software dependencies can quickly move risk across many organizations. Instead of attacking one company directly, threat actors compromised shared tooling that developers and CI systems trusted.

The company said it had already started hardening package manager and CI/CD controls after an earlier Axios developer tool compromise. However, the two impacted employee devices had not yet received the updated configuration that would have blocked the newly observed malware package.

OpenAI said it is continuing to invest in controls that validate the integrity and provenance of third-party components. That includes stronger handling for sensitive credentials used in deployment pipelines.

What developers and companies should do now

Organizations should first check whether any systems installed affected TanStack package versions on May 11, 2026. They should review both developer laptops and CI environments because the malware ran during installation.

Next, teams should rotate credentials reachable from those machines. That step matters even if the host looks clean now, because credential theft may have happened during the short infection window.

Companies should also review GitHub Actions workflows that use pull_request_target, shared build caches, OIDC publishing, and install scripts. These features are powerful, but weak boundaries between untrusted pull requests and trusted release workflows can create dangerous paths for attackers.

1. Identify installs of affected TanStack packages during the attack window.
2. Rebuild dependencies from clean lockfiles and patched versions.
3. Rotate credentials available to affected developer machines and CI runners.
4. Audit GitHub, npm, cloud, and Kubernetes logs for suspicious activity.
5. Restrict package install scripts in sensitive CI jobs where possible.
6. Review GitHub Actions cache use across fork and main branch workflows.
7. Use delay and provenance controls for new open-source package releases.

The OpenAI incident did not expose user data, according to the company. Even so, it shows why developer workstations, CI runners, and open-source package pipelines now sit at the center of enterprise security risk.

For OpenAI users, the main action is simple: update macOS apps through official channels before June 12. For developers and security teams, the bigger task is to audit whether the TanStack compromise touched their own environments.

FAQ