OpenAI internal repo and signing credential exposure via TanStack npm supply chain

Summary

On May 14, 2026, OpenAI disclosed that two employee devices were impacted by malicious npm packages from the TanStack supply chain attack that researchers tracked as Mini Shai-Hulud. The company confirmed credential-exfiltration activity in a limited subset of internal source code repositories for its iOS, macOS, and Windows products, which held signing certificates. OpenAI said it found no evidence that user data, production systems, or intellectual property were compromised, and rotated the affected certificates.

What happened

• Researchers at Wiz, Socket, and Aikido reported that 84 malicious npm package versions were published in a six-minute window on May 11, 2026, including TanStack artifacts with more than 12 million weekly downloads.
• OpenAI stated that two employee devices installed a malicious version before updated configurations could block it, and that the malware accessed a limited subset of internal source code repositories.
• The impacted repositories held signing certificates for OpenAI's iOS, macOS, and Windows desktop products, per OpenAI's disclosure.
• OpenAI said it rotated the affected certificates and coordinated with platform vendors to block use of the previous credentials.
• macOS users must update OpenAI desktop apps before June 12, 2026, after which older builds will fail Apple's notarization checks.

Timeline

• 2026-04-29 - First wave of malicious npm packages published in the broader campaign, per Wiz.
• 2026-05-11 - 84 TanStack-related malicious package versions published; two OpenAI employee devices installed an affected version.
• 2026-05-14 - OpenAI publishes disclosure confirming employee device compromise and credential exfiltration.
• 2026-06-12 - Deadline for macOS users to update OpenAI desktop apps before signing certificates expire.

What the vendor has confirmed

OpenAI stated it "observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories." The company said it found "no evidence that OpenAI user data was accessed, that our production systems or intellectual property were compromised, or that our software was altered." Listed remediation included credential rotation, CI/CD secret hardening, npm minimumReleaseAge controls, and additional package provenance validation.

Broader context

A self-propagating npm worm affecting widely depended-on libraries puts every downstream vendor's build environment in the blast radius of a single maintainer compromise. The risk profile rises when that environment also holds signing material for end-user applications, since the same credential exfiltration can threaten the integrity of binaries running on customer machines.

Sources

• OpenAI: Our response to the TanStack npm supply chain attack (vendor-disclosure)
• BleepingComputer coverage of OpenAI disclosure (press)
• TechCrunch coverage (press)
• The Record coverage (press)
• Wiz research: Mini Shai-Hulud TanStack analysis (research)
• TanStack postmortem (vendor-disclosure)