OpenAI caught in TanStack supply chain hit: signing keys exposed, macOS users must update by June 12
OpenAI confirmed Friday that two of its employees downloaded a malicious version of TanStack, a widely used open-source React library, and that the infection gave attackers a foothold inside the company's corporate environment. The breach is part of a broader supply chain campaign called Mini Shai-Hulud, linked to an extortion group called TeamPCP that has been compromising popular npm packages since at least April and selling whatever they steal. OpenAI says no customer data, production systems, or intellectual property was taken. But the repositories the attackers accessed contained the signing certificates used to authenticate ChatGPT, Codex, and every other OpenAI application across macOS, Windows, iOS, and Android. The company is rotating those certificates and requiring macOS users to update by June 12 or lose access to updates and, eventually, functionality. No malicious software signed with OpenAI's keys has been found.
The details are in a post on OpenAI's security blog, confirmed by BleepingComputer and The Record. They tell a familiar story with an unusual ceiling: an AI lab, a poisoned dependency, and an attacker who had already shown willingness to sell what they got from a previous victim.
The attack vector was the TanStack npm package, specifically versions published on May 11 UTC as part of the Mini Shai-Hulud campaign. The group behind it, TeamPCP, has been chaining GitHub Actions exploitation with cache poisoning and stolen OIDC tokens to inject credential-stealing malware into packages that look entirely legitimate. TanStack is not a niche library. Some of the affected packages have 12 million weekly downloads. The malware doesn't just steal from the machine it lands on — it self-propagates, scanning for other packages the victim maintains and contaminating those too. OpenAI's two affected employees had devices that fell through the gap between the company's security rollout and its deployment schedule. They did not yet have the configurations that would have blocked the malicious package.
What the attackers got, according to OpenAI's disclosure, was limited: credentials for a small number of source code repositories. The company confirmed the exfiltrated material included signing keys for its application portfolio. OpenAI rotated those credentials, isolated the impacted systems, revoked sessions, and restricted code deployment workflows while a third-party forensics firm investigated. The company says it has not seen evidence that the stolen credentials were used for any follow-on access or that any software was modified. The certificates have not been used to sign anything malicious, as far as OpenAI knows.
That last caveat is doing real work. TeamPCP's track record is the reason it matters. The same group was behind the LiteLLM supply chain attack in April, which cascaded into a breach at AI recruiting company Mercor. They also used a stolen Amazon API key to access the European Commission in April. This week, they offered for sale what they claimed was internal source code from Mistral AI, another AI company hit in the same TanStack campaign. Mistral confirmed a compromise and said attackers did not access hosted services or user data, but did get into some code repositories. OpenAI disclosed the same category of access. The difference is that OpenAI is a far larger target with signing keys for applications used by hundreds of millions of people.
The June 12 deadline is the part users will feel directly. On that date, macOS will begin blocking older versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas if they were signed with the old certificates. The update requirement only applies to macOS. Windows and iOS users are not required to act. OpenAI says it coordinated with Apple to stop new notarizations with the exposed certificates, which means fraudulent apps using the old keys would lack Apple's approval by default. Users who stick with out-of-date versions after June 12 will lose update access and, eventually, the ability to launch the application.
OpenAI notes it had already accelerated deployment of supply chain security controls after a separate incident in March, when North Korean hackers compromised the Axios developer tool and used it to target multiple organizations. The controls that would have blocked the TanStack attack were in the process of being rolled out. The two employee devices had not yet received them. The company is treating this as evidence that the controls work, even as it acknowledges they were not fast enough to prevent this incident.
The broader pattern is what security researchers keep trying to make the industry feel. Avital Harel, a security research lead at Upwind, told The Record that the self-spreading behavior embedded in the Mini Shai-Hulud malware represents an escalation from opportunistic credential theft toward something more deliberate and targeted at specific geographic regions. The malware is not just stealing from whoever installs it. It is hunting, and it is patient. TanStack's own post-mortem confirmed the attackers abused weaknesses in the project's GitHub Actions workflows to publish malicious versions directly through the official release pipeline, making the packages look indistinguishable from legitimate updates.
For AI companies, the implication is not abstract. The model weights, the training infrastructure, and the application signing keys are all downstream of developer tooling that runs on open-source packages updated through automated pipelines. A single compromised library, downloaded by a single engineer on a single day, can give an attacker a path to all of it. OpenAI was not uniquely careless. The same dependency chain that brought Mini Shai-Hulud into its environment runs through every AI lab that uses JavaScript tooling in production or development. The question is not whether the next TanStack will happen. The question is which company finds out about it first and whether the signing keys are in the same room when they do.