Two OpenAI employee devices were compromised in the TanStack npm supply chain attack after the company's own upgraded security controls failed to reach their machines in time, forcing an emergency rotation of code-signing certificates for macOS products. The May 11 attack by the TeamPCP hacking group, dubbed "Mini Shai-Hulud," hit TanStack's release infrastructure and published 84 malicious packages across 42 repositories. OpenAI disclosed this week that two employees in its corporate environment downloaded the poisoned dependencies before new package management protections could be deployed to their devices.
Those protections were accelerated after a previous Axios-related supply chain incident, but the rollout was phased. The two affected machines had not received updated configurations that would have blocked the malicious package, the company said in a security advisory. The attackers exfiltrated credentials from internal source code repositories accessible to those employees, including code-signing certificates for iOS, macOS, and Windows products. OpenAI said it found "only limited credential material was successfully exfiltrated" and found no evidence of customer data, production systems, or intellectual property being accessed.
Still, the exposure of signing certificates forced a company-wide reset. OpenAI isolated impacted systems, revoked user sessions, rotated credentials, and temporarily restricted code-deployment workflows.
It also hired a third-party digital forensics firm to assist with the investigation. The fallout lands directly on macOS users. OpenAI is rotating its code-signing certificates and will fully revoke the old ones on June 12, 2026.
After that date, macOS will block new downloads and launches of apps signed with the compromised certificate. Users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas must update before the deadline or risk losing functionality.
Windows and iOS users do not need to take any action.
This marks the second time in two months OpenAI has rotated macOS signing certificates. The previous rotation followed a March 31 incident where a GitHub Actions workflow used to sign macOS apps downloaded a malicious Axios library, which was compromised by North Korea's UNC1069 group. The TanStack breach is part of a broader campaign that has spread across the developer ecosystem. TeamPCP compromised packages from Mistral AI, UiPath, Guardrails AI, and OpenSearch, abusing GitHub Actions workflows and CI/CD configurations to extract tokens from memory and publish malicious versions through legitimate release pipelines.
Security firm Socket linked the TanStack compromise to a credential-stealing operation that has been worming through npm ecosystems for weeks.
Security researchers say the Mini Shai-Hulud malware targeted GitHub tokens, npm publish credentials, AWS secrets, Kubernetes configs, and SSH keys. It established persistence by modifying Claude Code hooks and VS Code auto-run tasks, surviving package removal. The malware also contained a destructive component that would execute a recursive wipe command on machines geolocated to Israel or Iran.
TeamPCP has since announced a supply chain attack contest in partnership with the Breached cybercrime forum, offering $1,000 in Monero to participants who compromise open-source packages using the Shai-Hulud worm it has made freely available. The group has also threatened to leak approximately 5GB of internal source code from Mistral AI, asking $25,000 from prospective buyers.
"This incident reflects a broader shift in the threat market: attackers are increasingly targeting shared software dependencies and development tooling rather than any single company," OpenAI said.
