Skip to main content
Emerging ThreatsSupply Chain Attacks

OpenAI Breach Exposes Code-Signing Certificates in TanStack Supply Chain Attack

Cluttered software development workstation with laptop, monitor, and papers in an office environment.

"We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access," OpenAI explained.

OpenAI confirms two employee devices were breached, limits reported

OpenAI disclosed that two employees' devices were compromised in the recent TanStack supply-chain attack that has hit hundreds of npm and PyPI packages. In a security advisory published May 14, 2026, the company said the incident did not affect customer data, production systems, intellectual property, or deployed software. OpenAI reported that only a limited set of credentials were stolen from repositories those employees could access, and that there is no evidence those credentials were used to launch further attacks.

The Mini Shai-Hulud campaign and TanStack's post-mortem

The breach at OpenAI is tied to a broader operation researchers are calling the "Mini Shai-Hulud" supply-chain campaign, carried out by the extortion gang TeamPCP. The campaign initially targeted packages from TanStack and Mistral AI before spreading to projects including UiPath, Guardrails AI, and OpenSearch. Researchers at Socket and Aikido tracked hundreds of compromised packages that were distributed through legitimate package repositories.

TanStack's post-mortem, cited by researchers, says attackers abused weaknesses in the project's GitHub Actions workflows and CI/CD configuration to run malicious code, extract tokens from memory, and publish malicious package versions through TanStack's normal release pipeline. That mechanism allowed trojanized packages to be published directly through legitimate releases, making them appear authentic to downstream users.

How the malware behaved: credential theft, persistence, and lateral spread

Analysts say the Mini Shai-Hulud malware was designed to harvest developer and cloud credentials, including GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and .env files. The malware also established persistence on developer systems by modifying Claude Code hooks and Visual Studio Code auto-run tasks, allowing it to survive removal of the infected packages.

After stealing CI/CD and package-manager credentials, attackers used those tokens to compromise maintainer accounts, inject malicious payloads into package tarballs, and publish new trojanized versions to repositories—enabling the campaign to spread to otherwise unrelated projects. Microsoft Threat Intelligence additionally reported that the operation included a Linux information-stealing tool targeting systems running Russian-language software and a destructive sabotage component designed to randomly execute a recursive wipe command on some Israeli or Iranian systems.

OpenAI's technical response and the code-signing certificate rotation

OpenAI said it isolated affected systems and accounts, revoked sessions, rotated credentials across impacted repositories, and temporarily restricted deployment workflows while it conducted a forensic investigation with a third-party incident response firm. The company also revealed that code-signing certificates used for OpenAI products on macOS, Windows, iOS, and Android were exposed in the incident.

Although OpenAI has not detected any abuse of those certificates to sign malicious software, it is rotating them as a precaution. That rotation introduces a practical impact for macOS users: applications signed with the older certificates may not launch or receive updates due to Apple's notarization process, so OpenAI is requiring macOS users to update their OpenAI desktop applications before June 12, 2026. According to the advisory, Windows and iOS users are not impacted and do not need to take action.

What this means for technologists, open-source maintainers, and end users

  • Technologists and security teams: OpenAI's actions—isolating systems, revoking sessions, rotating repository credentials, and engaging a third-party forensic firm—map directly to the immediate defensive measures organizations in similar incidents will likely take, and underscore the specific threat posed by credential-focused exfiltration in CI/CD contexts.
  • Open-source maintainers and CI/CD operators: TanStack's post-mortem highlights how weaknesses in GitHub Actions and CI/CD configuration were exploited to publish malicious releases; maintainers will need to scrutinize workflow permissions, memory-resident token exposure, and release pipelines where an upstream compromise can masquerade as a legitimate update.
  • End users of affected software: The clearest consumer-facing consequence in this incident is procedural—macOS users of OpenAI's desktop apps must update before June 12, 2026, to avoid interrupted use, while Windows and iOS users are reported not to be impacted.

OpenAI framed this event as part of a growing trend: "Modern software is built on a deeply interconnected ecosystem of open-source libraries, package managers, and continuous integration and continuous deployment infrastructure, which means that a vulnerability introduced upstream can propagate widely and quickly across organizations," the company concluded. The incident combines a widespread campaign that trojanized trusted packages, targeted credential theft from developer workstations and CI systems, and the exposure of tooling—like code-signing certificates—that providers rotate out of caution even when no active misuse is detected.

Link to original advisory and reporting: https://www.bleepingcomputer.com/news/security/openai-confirms-security-breach-in-tanstack-supply-chain-attack/