OpenAI Confirms TanStack Supply-Chain Breach Affected Two Employee Devices, Code-Signing Certificates Exfiltrated

OpenAI confirmed on May 14, 2026, that two employee devices in its corporate environment were compromised as part of the Mini Shai-Hulud supply-chain campaign that targeted TanStack npm packages on May 11. The malware, distributed through malicious TanStack package versions, exhibited credential-focused exfiltration activity and obtained unauthorized access to a limited subset of internal source code repositories accessible to the two affected employees. OpenAI stated that only limited credential material was successfully exfiltrated and that no other information or code was impacted. The compromised repositories included code-signing certificates for OpenAI products on iOS, macOS, Windows, and Android. OpenAI is rotating all affected certificates as a precaution, requiring macOS users to update applications by June 12, 2026. The company found no evidence that the certificates were abused to sign malicious software, no evidence of customer data access, production system compromise, or intellectual property theft.

Software supply-chain compromise. Attackers hijacked TanStack's GitHub Actions workflows using an orphaned commit pushed to a fork, obtaining a valid OIDC publish token that allowed them to publish 160+ malicious npm package versions carrying legitimate provenance attestations. The malicious packages contained lifecycle hooks that executed credential-stealing payloads on developer machines and CI runners. OpenAI employees using affected TanStack dependencies had their devices compromised, leading to exfiltration of credentials and code-signing certificates from accessible repositories.

OpenAI macOS desktop applications (ChatGPT Desktop, Codex App, Codex CLI, Atlas) signed with certificates exposed in the breach. Windows and iOS applications are not affected. The TanStack supply-chain campaign also affected 160+ packages across the npm ecosystem, including @tanstack/react-router (12+ million weekly downloads), Mistral AI SDK, Guardrails AI, UiPath, and others.

macOS users of OpenAI applications must update to the latest versions by June 12, 2026, when the old certificates will be fully revoked. Applications signed with previous certificates will be blocked by macOS security protections after that date. OpenAI has coordinated with platform providers to prevent unauthorized use of the exposed certificates by stopping new notarizations, and has reviewed all software signing activity to confirm no unexpected software was signed. Organizations using TanStack or related packages should consult Sysdig, Aikido, and SafeDep advisories for full lists of compromised package versions, rotate credentials in use at time of installation, and check for malware persistence mechanisms including modified Claude Code hooks and VS Code auto-run tasks.