OpenAI Caught in TanStack Supply Chain Attack After Two Staff Machines Hit by Malware
OpenAI confirmed it was affected by the "Mini Shai-Hulud" npm supply chain attack, in which malware hidden in compromised TanStack packages reached two employee devices and allowed attackers to steal a limited amount of internal credential material. The company stated that no customer data or production systems were compromised, but as a precaution it is rotating signing certificates for several desktop products — including ChatGPT Desktop and Codex — and requiring users to update by June 12. The incident is part of a broader campaign linked to a threat group called TeamPCP, which has been systematically poisoning npm ecosystems and stealing developer credentials across multiple software pipelines.
OpenAI has confirmed it was swept up in the sprawling TanStack npm supply chain compromise, after malicious packages reached two employee devices and allowed attackers to pull internal credentials from a limited set of company repositories.
The company said this week that no customer data, production systems, or deployed software were affected. But the breach was serious enough to trigger a precautionary certificate rotation across several desktop products, including the macOS versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas. Users of those apps have until June 12 to install the updates.
The timing of the incident is awkward for OpenAI in a specific way. The company had already been rolling out upgraded supply chain security controls following a separate Axios-related incident. The two devices that were hit simply hadn't received those updated protections yet. The new measures would have blocked the malicious dependency from running. They just arrived too late for those two machines.
From there, the attackers carried out what OpenAI described as credential-focused exfiltration, targeting internal repositories accessible from the compromised endpoints. The company was careful to say only a limited amount of credential material was successfully taken, though that was still enough to warrant rotating signing certificates across multiple products.
The attack is part of a much broader campaign that security researchers have been tracking under the name "Mini Shai-Hulud." The operation has been working its way through npm ecosystems, CI/CD pipelines, and GitHub Actions workflows for weeks. Security firm Socket connected the TanStack compromise to this wider effort, which has relied on poisoned automation workflows and stolen publishing credentials to slip malicious updates into widely used software pipelines.
TanStack confirmed this week that 84 malicious package versions across 42 @tanstack/* packages had been published after attackers broke into parts of its release infrastructure. The poisoned packages were built to harvest credentials, specifically GitHub tokens, cloud secrets, npm authentication material, and CI/CD credentials.
Researchers have linked the group behind this activity to a threat actor called TeamPCP, which has developed a pattern of targeting developer tooling and credential stores across multiple ecosystems. Earlier Mini Shai-Hulud activity involved SAP-related npm packages, suggesting this is a sustained, expanding operation rather than a one-off smash-and-grab.
OpenAI says it is still investigating and watching for any signs that the stolen credentials have been used downstream.
The reassuring part is that production systems were not breached. The less reassuring part is that attackers keep getting further into the software build chain before anyone catches them.