OpenAI Caught in Sweeping npm Supply Chain Campaign

OpenAI confirmed this week that two employee devices were breached as part of a wide-ranging software supply chain attack that targeted a popular open-source library used across the JavaScript ecosystem. The OpenAI supply chain attack did not expose user data, production systems, or intellectual property, but it forced the company to rotate its code-signing certificates and push mandatory app updates to macOS users.

The incident is part of a broader campaign known as Mini Shai-Hulud, attributed to a threat group called TeamPCP. Security researchers have linked the operation to more than 170 compromised packages across the npm and PyPI registries, collectively carrying over 518 million cumulative downloads.

How the Attack Reached OpenAI

The entry point was TanStack, a widely used collection of JavaScript libraries. On May 11, 2026, attackers published 84 malicious versions across 42 @tanstack/* npm packages during a six-minute window. The attack exploited weaknesses in TanStack's GitHub Actions workflows and CI/CD configuration, allowing the malicious packages to flow through the project's legitimate release pipeline and appear authentic.

The malicious packages carried credential-stealing malware. Once installed on a developer's machine, the malware extracted credentials from memory and then self-propagated, using stolen GitHub and npm tokens to compromise other packages the victim maintained, injecting malicious payloads, and publishing new trojanized versions to public repositories.

Two OpenAI employees downloaded the compromised packages. Their devices were affected, and the malware carried out what OpenAI described as "credential-focused exfiltration activity" against a limited subset of internal source code repositories those employees could access. Only limited credential material was taken.

What Was and Was Not Compromised

Code-signing certificates for OpenAI's macOS, Windows, iOS, and Android applications were stored in the affected repositories. Those certificates were exposed. As a precaution, OpenAI is rotating all of them, which means macOS users must update ChatGPT Desktop, Codex, and Atlas before June 12, 2026. After that date, Apple's security protections will block applications still signed with the old certificates.

OpenAI confirmed it has found no evidence of those certificates being misused. No unauthorized modifications were made to its software. No customer passwords or API keys were affected. The breach remained contained to the corporate environment and did not touch the production infrastructure or any customer-facing systems.

The company engaged a third-party digital forensics and incident response firm as part of its investigation. It also isolated the affected devices, revoked active sessions, rotated credentials, and temporarily restricted its code deployment workflows while the investigation was underway.

A Rollout That Came Too Late

OpenAI acknowledged that the timing of the breach created a gap in its defenses. Following an earlier supply chain incident involving the Axios library, the company had accelerated deployment of stricter security controls, including hardened CI/CD credential handling, a minimum package-age policy, and provenance validation for third-party packages.

But those controls had not yet reached every machine. The two employee devices affected by this incident were still running the older configuration. Had the updated controls been in place, the malicious TanStack package would not have been downloaded.

The phased rollout meant the attack succeeded where it otherwise might not have. OpenAI has since completed hardening of the affected configurations.

The Wider Campaign

The Mini Shai-Hulud operation extended well beyond OpenAI. Mistral AI also confirmed that one of its codebase management systems was temporarily compromised on May 12 through the same supply chain vector, with some of its packages contaminated. Other affected projects include UiPath, Guardrails AI, and OpenSearch.

Researchers from Socket and Aikido tracked hundreds of compromised packages distributed through legitimate repositories. A CVE has been assigned to the TanStack compromise (CVE-2026-45321) with a CVSS score of 9.6 out of 10, reflecting the severity and reach of the attack.

Security researchers noted that the malware established persistence on developer systems by modifying Claude Code hooks and VS Code auto-run tasks, allowing it to survive package removal. The stolen credentials were then used to propagate further, turning individual developer environments into new launchpads.

TeamPCP has also been linked to a separate breach of the European Commission last month, carried out using a stolen Amazon API key.

What This Signals for Software Security

The attack pattern here is not new, but its scale reinforces a structural problem in modern software development. Applications are built on layered dependencies: open-source libraries, package managers, and CI/CD infrastructure that organizations share but do not fully control. A single compromised upstream package can propagate across dozens of organizations before anyone notices.

The TanStack packages involved had millions of weekly downloads. The window between publication and detection was roughly 20 minutes. In that time, the malicious versions reached multiple development environments, including those of some of the most security-conscious companies in the industry.

The Mini Shai-Hulud campaign follows a chain of similar operations: the tj-actions/changed-files GitHub Actions breach in March 2025, a self-propagating npm worm using invisible Unicode characters, and a compromised security scanner that pushed infostealers through its own build process. The toolchain itself has become the attack surface.

What macOS Users Need to Do

For OpenAI product users on macOS, the immediate step is to update. ChatGPT Desktop, Codex, and Atlas should be updated through the built-in in-app update prompt or directly from OpenAI's official download pages. OpenAI has advised against installing applications from links shared in emails, advertisements, or third-party download sites.

The June 12 deadline is firm. After that date, any macOS build still signed with the old certificates will stop functioning as Apple's security protections block unrecognized signatures by default.