OpenAI has confirmed that it was one of the victims of a large-scale supply chain attack on TanStack npm packages. The company announced that its internal repositories were compromised and urged macOS users to update their proprietary applications by rotating signing certificates.
This article discusses a large-scale cyberattack on the TanStack supply chain, which affected multiple employees of OpenAI and necessitated urgent rotation of code signing certificates for all of OpenAI’s macOS, Windows, iOS, and Android apps.
Although the attackers could not breach user data, production systems, or intellectual property, they were able to obtain some developer credentials.
OpenAI stated the hackers used the “Mini Shai-Hulud” campaign (which is associated with the TeamPCP group) to distribute malicious updates via widely-used npm and PyPI packages in order to access developers’ machines and CI/CD environments.
“We saw activity consistent with the publicly documented behavior of malware, such as unauthorized access and credential harvesting in a small subset of our internal source code repositories,” stated OpenAI.
Additionally, OpenAI said the hackers stole only a very limited amount of credentials from those repositories. No evidence indicates that these credentials have been utilized in subsequent attacks.
Following the initial compromise, OpenAI identified the compromised systems and accounts; terminated current active sessions; reset passwords in the compromised repositories; and temporarily blocked application deployments. Additionally, OpenAI hired an outside incident response team to assist with their investigations.
In a separate announcement, OpenAI indicated that the attackers had compromised code-signing certificates for many of their applications across several platforms. Since there was no evidence that the compromised certificates were ever utilized to create malware, the company chose to replace them as a preventive measure. As a consequence, Mac users will need to update their OpenAI desktop apps prior to June 12th 2026. If users fail to complete this task, it is possible that apps signed with older certificates will cease working or will be unable to receive updates using Apple’s notarization process. In contrast, Windows and iOS users will not require any additional actions.
The Mini Shai-Hulud campaign appears to be among the largest supply-chain campaigns in recent history. Following their compromises of TanStack and Mistral AI, the attackers eventually expanded their scope to include UiPath, Guardrails AI, OpenSearch, and other projects.
Researchers at Socket/Aikido identified hundreds of tainted npm and PyPI packages distributed via official sources.
TanStack officials stated that the attackers successfully exploited GitHub Actions and CI/CD configuration vulnerabilities to execute malicious code; extract tokens from memory; and upload infected packages utilizing a legitimate release pipeline.
Consequently, the tainted packages appear to be standard official releases.
Mini Shai-Hulud was designed to collect GitHub Tokens, NPM Credentials, AWS Data, Kubernetes Secrets, SSH Keys, and .env Files.
In addition, researchers located persistence mechanisms that permitted the malware to continue operating on systems even after the tainted package was deleted. These mechanisms included modifying Claude Code Hooks and VSCode Autorun.
Additionally, Microsoft Threat Intelligence reported a Linux variant of the information-stealing malware attacking systems hosting Russian-language software. This malware also contained a destructive module that inadvertently caused some Israeli and Iranian systems to delete files recursively.
Finally, OpenAI noted that this campaign represents a significant shift away from hackers focusing on single targets toward hacking entire software development supply chains.
“Modern software relies upon an incredibly interconnected network of open-source libraries, package managers and Continuous Integration / Continuous Deployment infrastructures, therefore vulnerabilities can rapidly spread between organizations.
