OpenAI confirms security breach in TanStack supply chain attack

Summary

OpenAI disclosed that two employee devices were compromised during the "Mini Shai-Hulud" supply chain campaign attributed to the TeamPCP extortion gang, which targeted hundreds of npm and PyPI packages. The attack exposed limited credentials from internal source code repositories but did not impact customer data, production systems, or intellectual property; OpenAI rotated code-signing certificates and revoked sessions as a precaution. The broader TanStack supply chain attack exploited CI/CD pipeline vulnerabilities across multiple projects including Mistral AI, UiPath, and OpenSearch, delivering malware designed to steal developer credentials, establish persistence, and sabotage systems.

Full text

OpenAI confirms security breach in TanStack supply chain attack By Lawrence Abrams May 14, 2026 03:07 PM 0 OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution. In a security advisory published today, the company said the incident did not impact customer data, production systems, intellectual property, or deployed software. The company says the breach is linked to the recent "Mini Shai-Hulud" supply-chain campaign by the TeamPCP extortion gang, which targeted developers by slipping malicious updates into trusted and popular software packages. "We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access," OpenAI explained. The company says that only limited credentials were stolen from the repositories in the attack and that there is no evidence they were used in additional attacks. OpenAI says it isolated affected systems and accounts, revoked sessions, rotated credentials across affected repositories, and temporarily restricted deployment workflows. The company also conducted a forensic investigation with the help of a third-party incident response firm. Code signing certificates used for OpenAI products on macOS, Windows, iOS, and Android were also exposed in the incident. While OpenAI has not detected that these certificates were abused to sign malicious software, the company is rotating them as a precaution. This rotation will require macOS users to update their OpenAI desktop applications before June 12, 2026, as applications signed with the older certificates may not launch or receive updates due to Apple's notarization process. Windows and iOS users are not impacted and do not need to take any action. The TanStack supply chain attack The OpenAI breach is part of a massive Mini Shai-Hulud software supply-chain campaign that compromised hundreds of npm and PyPI packages earlier this week. The attack initially targeted packages from TanStack and Mistral AI before spreading to other projects, including UiPath, Guardrails AI, and OpenSearch, through stolen CI/CD credentials and legitimate workflows. Researchers from Socket and Aikido ultimately tracked hundreds of compromised packages distributed through legitimate package repositories. According to TanStack's post-mortem, the attackers abused weaknesses in the project's GitHub Actions workflows and CI/CD configuration to execute malicious code, extract tokens from memory, and publish malicious packages through TanStack's normal release pipeline. This allowed the attackers to publish malicious package versions directly through legitimate releases, with the packages appearing legitimate. The Mini Shai-Hulud malware delivered in the campaign targeted the theft of developer and cloud credentials, including GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and .env files. Security researchers say the malware also established persistence on developer systems by modifying Claude Code hooks and VS Code auto-run tasks, enabling it to survive package removal. The malware spread to other projects by using stolen GitHub and npm credentials to compromise maintainer accounts, inject malicious payloads into package tarballs, and publish new trojanized package versions to repositories. Microsoft Threat Intelligence also reported that it launched a Linux information-stealing tool that targeted systems running Russian-language software. The malware also contained a destructive sabotage component that would randomly execute a recursive wipe command on some Israeli or Iranian systems. OpenAI says the incident is part of a growing trend of attackers targeting the software supply chain rather than individual companies directly, for widespread impact. "Modern software is built on a deeply interconnected ecosystem of open-source libraries, package managers, and continuous integration and continuous deployment infrastructure, which means that a vulnerability introduced upstream can propagate widely and quickly across organizations," the company concluded. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: TeamPCP hackers advertise Mistral AI code repos for saleOfficial SAP npm packages compromised to steal credentialsGitHub links repo breach to TanStack npm supply-chain attackNew Shai-Hulud malware wave compromises 600 npm packagesShai Hulud attack ships signed malicious TanStack, Mistral npm packages

Indicators of Compromise

• malware — Mini Shai-Hulud

Entities