OpenAI Caught in TanStack Supply Chain Attack After Two Staff Machines Hit by Malware
OpenAI confirmed it was affected by the "Mini Shai-Hulud" npm supply chain attack, in which malware hidden in compromised TanStack packages reached two employee devices and allowed attackers to steal a limited amount of internal credential material. The company stated that no customer data or production systems were compromised, but as a precaution it is rotating signing certificates for several desktop products — including ChatGPT Desktop and Codex — and requiring users to update by June 12. The incident is part of a broader campaign linked to a threat group called TeamPCP, which has been systematically poisoning npm ecosystems and stealing developer credentials across multiple software pipelines.
Read →