OpenAI says two employees’ devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution.
In a security advisory published today, the company said the incident did not impact customer data, production systems, intellectual property, or deployed software.
The company says the breach is linked to the recent “Mini Shai-Hulud” supply-chain campaign by the TeamPCP extortion gang, which targeted developers by slipping malicious updates into trusted and popular software packages.
“We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access,” OpenAI explained.
The company says that only limited credentials were stolen from the repositories in the attack and that there is no evidence they were used in additional attacks.
OpenAI says it isolated affected systems and accounts, revoked sessions, rotated credentials across affected repositories, and temporarily restricted deployment workflows. The company also conducted a forensic investigation with the help of a third-party incident response firm.
Code signing certificates used for OpenAI products on macOS, Windows, iOS, and Android were also exposed in the incident. While OpenAI has not detected that these certificates were abused to sign malicious software, the company is rotating them as a precaution.
This rotation will require macOS users to update their OpenAI desktop applications before June 12, 2026, as applications signed with the older certificates may not launch or receive updates due to Apple’s notarization process.
Windows and iOS users are not impacted and do not need to take any action.
The TanStack supply chain attack
The OpenAI breach is part of a massive Mini Shai-Hulud software supply-chain campaign that compromised hundreds of npm and PyPI packages earlier this week.
The attack initially targeted packages from TanStack and Mistral AI before spreading to other projects, including UiPath, Guardrails AI, and OpenSearch, through stolen CI/CD credentials and legitimate workflows.
Researchers from Socket and Aikido ultimately tracked hundreds of compromised packages distributed through legitimate package repositories.
According to TanStack’s post-mortem, the attackers abused weaknesses in the project’s GitHub Actions workflows and CI/CD configuration to execute malicious code, extract tokens from memory, and publish malicious packages through TanStack’s normal release pipeline.
This allowed the attackers to publish malicious package versions directly through legitimate releases, with the packages appearing legitimate.
The Mini Shai-Hulud malware delivered in the campaign targeted the theft of developer and cloud credentials, including GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and .env files.
Security researchers say the malware also established persistence on developer systems by modifying Claude Code hooks and VS Code auto-run tasks, enabling it to survive package removal.
The malware spread to other projects by using stolen GitHub and npm credentials to compromise maintainer accounts, inject malicious payloads into package tarballs, and publish new trojanized package versions to repositories.
Microsoft Threat Intelligence also reported that it launched a Linux information-stealing tool that targeted systems running Russian-language software. The malware also contained a destructive sabotage component that would randomly execute a recursive wipe command on some Israeli or Iranian systems.
OpenAI says the incident is part of a growing trend of attackers targeting the software supply chain rather than individual companies directly, for widespread impact.
“Modern software is built on a deeply interconnected ecosystem of open-source libraries, package managers, and continuous integration and continuous deployment infrastructure, which means that a vulnerability introduced upstream can propagate widely and quickly across organizations,” the company concluded.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
