"Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to protect our systems," OpenAI said.
What happened at OpenAI and what was affected
OpenAI disclosed that two employee devices in its corporate environment were impacted by the Mini Shai-Hulud supply chain attack targeting TanStack. The company reported observing "activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access."
OpenAI said only limited credential material was successfully transferred from those repositories and that "no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner." In immediate response the company isolated impacted systems and identities, revoked user sessions, rotated all credentials across impacted repositories, temporarily restricted code-deployment workflows, and audited user and credential behavior.
TanStack compromise, TeamPCP, and the broader campaign
Security researchers and vendors attribute a wide-ranging campaign to the threat actor known as TeamPCP. TeamPCP claimed dozens of new victims and the compromise of "hundreds of packages associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI" as part of a supply chain operation designed to push malware to downstream developers and steal credentials.
TanStack described the attack path as an exploit of its continuous-integration pipeline: "The attacker managed to engineer a path where our own CI pipeline stole its own publish token for them, at the exact moment it was created, by way of a cache that everyone in the chain implicitly trusted." TeamPCP has also released a publicly available worm called Shai-Hulud and announced a contest offering "$1,000 in Monero to compromise open-source packages" using that worm.
TeamPCP additionally threatened to sell "about 5GB of internal source code from Mistral AI," asking for "$25,000 BIN" and warning it would leak the code if a buyer could not be found within a week.
Technical hallmarks identified by Hunt.io
Independent analysis highlights a modular, resilient toolkit with multiple exfiltration and failover mechanisms. Hunt.io reported the malware contains a hard-coded primary command-and-control (C2) address at "83.142.209[.]194." If that primary C2 becomes unreachable, a fallback mechanism labeled FIRESCALE is activated.
Hunt.io writes that the FIRESCALE fallback searches "all public GitHub commit messages worldwide for a signed alternative server URL, verified against an embedded 4096‑bit RSA key." Exfiltration follows three tiers in sequence: the primary C2 server, the FIRESCALE dead-drop redirect, and the victim's own GitHub repository—so "blocking any single tier leaves the other two intact."
The collection module is unusually broad in scope: it harvests Amazon Web Services credentials across all 19 availability zones on its target list, explicitly including us-gov-east-1 and us-gov-west-1 (AWS GovCloud regions). Beyond credential files, the toolkit "captures every environment variable on the machine, reads all SSH keys and config, walks the entire home directory for dotenv files, and pulls credentials from running Docker containers."
Hunt.io also notes destructive features: on machines geolocated to Israel or Iran a 1‑in‑6 probability gate can trigger audio playback at maximum volume followed by deletion of accessible files; the malware also appears on systems with a Russian locale. Those behaviors echo prior destructive operations tied to this actor, reinforcing the assessment that the campaign is deliberate and multifaceted.
Mistral AI and trojanized SDKs
Mistral AI confirmed it was impacted by a supply chain attack stemming from the TanStack compromise. The company said trojanized versions of its npm and PyPI SDKs were released and that a lone developer device was impacted. Mistral reported there is "no evidence to suggest its infrastructure was breached."
User impact: code‑signing certificates and macOS updates
Because some of the impacted repositories included signing certificates for iOS, macOS, and Windows products, OpenAI revoked those certificates and issued new ones. The company said macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas must update their apps to the latest versions. "This helps prevent any risk, however unlikely, of someone attempting to distribute a fake app that appears to be from OpenAI," the company said; it added that Windows and iOS users do not need to take action.
OpenAI scheduled the old certificates to be revoked on June 12, 2026, after which macOS protections will block new downloads and launches of apps signed with the previous certificate. This is the second macOS code‑signing rotation OpenAI has performed in as many months: around mid‑April 2026 the company rotated certificates after a GitHub Actions workflow used to sign macOS apps led to the download of a malicious Axios library on March 31 that had been compromised by a North Korean group identified as UNC1069.
What this means for developers, enterprises, and end users
- Developers and CI teams: expect attacks that exploit trusted caches and automation workflows rather than stolen maintainer credentials—TanStack warned the publish token was taken "by way of a cache that everyone in the chain implicitly trusted."
- Enterprises and security teams: must treat credential exposure across code repositories and signing systems as an immediate risk vector; OpenAI's rapid credential rotation, session revocation, and temporary restriction of deployment workflows illustrate operational mitigations that organizations may need to replicate.
- End users and macOS customers: should update ChatGPT Desktop, Codex App, Codex CLI, and Atlas before June 12, 2026 to avoid their systems blocking or failing to launch applications signed with revoked certificates.
The campaign around TanStack and the release of Shai‑Hulud underscores a central fact stated by OpenAI: "attackers are increasingly targeting shared software dependencies and development tooling rather than any single company." With multiple fallback exfiltration paths, regionally targeted destructive behavior, and incentives from the attacker community to reuse the worm, the immediate technical response—revoked certificates, credential rotations, and repository audits—answers today's breach; whether it will blunt subsequent reuse of the same chain-of-trust weaknesses remains the urgent open question.
