OpenAI npm supply chain security TanStack TeamPCP

OpenAI Hit by TanStack Supply Chain Attack After Two Employee Machines Infected

17 May 2026

OpenAI confirmed it was caught up in the "Mini Shai-Hulud" npm supply chain attack, in which malware hidden in compromised TanStack packages reached two employee devices and allowed attackers to steal a limited amount of internal credentials. The two affected machines had not yet received updated supply chain security controls that would have blocked the malicious dependency. As a precaution, OpenAI is rotating signing certificates for several desktop products — including ChatGPT Desktop, Codex App, and Codex CLI — and says there is no evidence that customer data or production systems were compromised.

OpenAI has confirmed it was caught up in the sprawling 'Mini Shai-Hulud' supply chain campaign after malware from poisoned TanStack npm packages reached two employee devices and made off with internal credentials.

The company says there's no evidence production systems, deployed software, or customer data were touched. Small comfort, perhaps, but worth stating. The damage was limited to credential material pulled from internal repositories accessible from the two compromised machines.

The timing is awkward. OpenAI was in the middle of rolling out new supply chain security controls following an earlier Axios-related incident. The two affected machines simply hadn't received the updated package management protections yet. The attackers hit the gap.

As a precaution, OpenAI is now rotating signing certificates across several desktop products: the macOS versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas. Users have until June 12 to update.

The broader Mini Shai-Hulud campaign has been a slow-moving disaster for developer infrastructure. Security firm Socket connected the TanStack compromise to this wider operation, which has been chewing through npm ecosystems, GitHub Actions workflows, and CI/CD pipelines for weeks. TanStack confirmed that 84 malicious package versions across 42 @tanstack packages were published after attackers got into its release infrastructure. The packages were designed to hoover up exactly the kind of credentials that matter: GitHub tokens, cloud secrets, npm credentials, and CI/CD authentication material.

Researchers have tied the activity to a group called TeamPCP, which also appears responsible for earlier attacks on SAP-related npm packages. The same credential-stealing playbook, different targets.

OpenAI says it's continuing to investigate and watching for signs that the stolen credentials are being used downstream.

The good news is that nobody breached the production systems. The bad news is that attackers keep getting further into the software build pipeline before anyone notices they were ever there.