“84 malicious package versions spanning 42 @tanstack/* packages had been published” — a single tally that has now drawn OpenAI into a wider npm supply-chain crisis while the company scrambles to rotate signing certificates and force updates across multiple desktop products.
OpenAI's account: two compromised devices, credential-focused exfiltration
OpenAI says attackers reached two employee devices and stole internal credentials, prompting a precautionary reset across several products. According to the company, the attackers carried out "credential-focused exfiltration activity" against a limited set of internal repositories reachable from the affected machines and "only limited credential material was successfully exfiltrated from these code repositories." OpenAI also said there was "no evidence that customer data, production systems, or deployed software were compromised" and that it is continuing to investigate and monitor for any downstream abuse tied to the stolen credentials.
How the compromise fit into the Mini Shai-Hulud campaign and TanStack poisoning
Security firm Socket linked the TanStack compromise to the broader "Mini Shai-Hulud" operation. Researchers tracking the campaign have connected the activity to a threat group referred to as TeamPCP. TanStack confirmed the publication of 84 malicious package versions across 42 @tanstack/* packages after attackers compromised parts of its release infrastructure. The poisoned packages were designed largely to steal credentials — including GitHub tokens, cloud secrets, npm credentials, and CI/CD authentication material — and the operation appears to have abused poisoned automation workflows and stolen publishing credentials to push malicious package updates into trusted software pipelines.
Product impact: certificates rotated and macOS apps forced to update by June 12
As a direct remediation, OpenAI is rotating the certificates used to sign macOS versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas. The company is requiring users to update the affected software by June 12. OpenAI described the certificate resets and forced updates as a precaution triggered by the credential exfiltration, even as it maintains there is no evidence of production-system compromise.
Attack mechanics: missing protections during a phased security rollout
OpenAI said the incident occurred during a phased rollout of new supply-chain security controls that had been introduced after a previous Axios-related incident. The two compromised employee devices had not yet received the updated package-management protections that would have blocked the malicious dependency, the company said. That gap permitted the malicious dependency to reach those machines and allowed attackers to access internal repositories reachable from them.
What this means for developers, enterprises, and end users
- Developers and open-source maintainers: The TanStack numbers — 84 malicious versions across 42 packages — and evidence of poisoned automation workflows underline how publishing infrastructure and CI/CD pipelines can be abused to introduce credential-stealing code into trusted packages. Researchers have also tied similar Mini Shai-Hulud activity to earlier attacks involving SAP-related npm packages, suggesting the same credential-stealing techniques are spreading across ecosystems.
- Enterprises and procurement leaders: The incident shows how limited credential exfiltration from internal repositories can force broad remedial actions, such as rotating signing certificates for multiple products. Organizations will need to track downstream abuse tied to stolen credentials and consider how phased security rollouts might leave temporary gaps.
- End users of affected OpenAI desktop apps: Users must install updated macOS builds — ChatGPT Desktop, Codex App, Codex CLI, and Atlas — by June 12 to accommodate rotated signing certificates and the company's precautionary resets.
OpenAI's immediate mitigations — certificate rotations and mandatory updates — reflect a defensive posture aimed at preventing abused credentials from producing downstream harm. But the episode also underscores an unsettling practical truth recorded by observers: attackers are repeatedly reaching deeper into the software assembly line before defenders detect them. OpenAI says it is continuing its investigation and monitoring for downstream abuse; the broader Mini Shai-Hulud campaign and the TanStack poisonings make clear that the next moves will depend on whether investigators can trace and contain credential misuse in the weeks ahead.
