Two OpenAI employees fell victim to the TanStack supply chain attack: what happened and what data was at risk

Two OpenAI employees fell victim to the TanStack supply chain attack: what happened and what data was at risk

ByEthan Collins

The campaign of cyberattacks against the software supply chain has a high-profile victim that has just come to light: OpenAI. The company that created ChatGPT has published a security report in which it recognizes that two of its employees were directly affected by the incident known as Mini Shai-Huluda large-scale operation that compromised hundreds of open source packages distributed through the npm and PyPI repositories, and which has become one of the most relevant supply chain attacks of the year in the software development ecosystem.

The news comes at a time of special sensitivity for the company, which had already accelerated its security measures after a previous incident related to the Axios bookstorein which unauthorized access attempts through external dependencies were also detected.

The Mini Shai-Hulud attack: hundreds of poisoned packages

To understand what happened to OpenAI, we must start from the attack that caused it. The threat group known as TeamPCP, identified as an extortion gang, compromised TanStack publishing infrastructurean open source library with more than twelve million weekly downloads widely used in the development of web applications. In a span of just six minutes, the attackers published 84 malicious versions of their packages spread across 42 namespaces in the npm registry.

The attack did not stop there. From TanStack, The malware spread to other projects that depended on that compromised infrastructurereaching packages of Mistral AI, UiPath, Guardrails AI and OpenSearch, among others. In total, the campaign affected more than 160 packages on npm and PyPI. The initial vector exploited weaknesses in the GitHub Actions workflows of the TanStack project: the attackers forged a pull request that triggered continuous integration processes and, through a poisoned pnpm cache, managed to extract OIDC tokens directly from the memory of the GitHub Actions runner.

The malware was primarily designed to steal credentials: GitHub tokens, secrets from cloud platforms like AWS, Google Cloud, and Azure, npm credentials, CI/CD pipeline authentication stuff, SSH keys, and Kubernetes service account tokens. In addition, it incorporated self-propagation capabilities to infect other packages that the affected developers kept active.

How it came to OpenAI devices

According to the company’s own statement, the two employee devices that were compromised were part of the OpenAI corporate environment. The problem has a specific technical explanation: the incident occurred precisely during the gradual rollout of new security measures that OpenAI had been implementing since the previous incident with Axios. The two affected machines had not yet received updated package management configurations that would have prevented the download of the malicious component. A calendar problem that, at the worst possible moment, left a window open.

Once malicious activity was detected, OpenAI activated its response protocol– Isolated affected systems, revoked active sessions, rotated compromised credentials, and temporarily restricted parts of their code deployment flow. The company also hired an external firm specializing in digital forensics and incident response to support the investigation.

What data was stolen and what was not?

The balance offered by OpenAI is clear about the extent of the damage. The attackers gained unauthorized access to a limited subset of internal source code repositories to which the two affected employees had access, and from there conducted what the company describes as credential exfiltration activity. Only a limited volume of credentialing material was extracted from those repositories.

What the research did not find is equally relevant: no evidence of access to user data, no compromise of production systems, no alteration of deployed software and no access to intellectual property. The affected repositories contained digital certificates used to sign the company’s products, which prompted the next big decision.

macOS users must update by June 12

As a preventative measure, OpenAI has started rotating its code signing certificates. The decision has a direct consequence for users of your desktop applications on macOS: Those who do not update their apps before June 12, 2026 may find that older versions stop working or receiving updates, as Apple will by default block apps signed with the old certificate once it is completely revoked.

Windows and iOS users are not affected by this measure and do not need to do anything. OpenAI has specified that the update can be carried out through the update mechanisms integrated into the applications themselves or from their official download pagesand has explicitly warned against installing updates from any other channels such as emails, messages, or third-party sites.

The company has also confirmed that it has already worked with platform providers to block any new notarization attempts with the compromised certificate, reducing the possibility of fraudulent applications posing as legitimate OpenAI software being distributed.

OpenAI has closed its statement by explicitly referring to the structural context that makes these attacks possible. Modern software is built on a deeply interconnected ecosystem of open source libraries, package managers, and continuous integration and deployment infrastructure, meaning that a vulnerability introduced at any point in that chain can spread quickly and widely to multiple organizations.

Ethan Collins
Ethan Collins

As a dedicated tech enthusiast and writer at IRC Junkie, I explore the latest innovations in software and hardware. With a background in computer science, I thrive on simplifying complex technological concepts for our readers. My goal is to inspire curiosity and understanding in the ever-evolving world of technology.