OpenAI has confirmed a security incident tied to a supply chain attack that spread through the TanStack ecosystem. The issue surfaced on May 11 and involved more than 160 npm and PyPI packages. Two employee devices at OpenAI were impacted during the activity. The company said the behavior matched known malware patterns already linked to the wider campaign. That included unauthorized access attempts and credential-focused data theft inside a small set of internal code repositories. Those repositories were only accessible to the two affected employees. OpenAI says the exposure stayed limited to that slice of internal systems. No customer data was touched. Production systems were not reached either. Deployed models and core intellectual property were not affected.
The broader incident is part of what security researchers are calling the “Mini Shai-Hulud” supply chain campaign. It has been linked to an extortion group known as TeamPCP. The method was simple in concept but messy in impact. Malicious updates were inserted into trusted open-source packages, then pushed through normal developer channels.
Once inside, the attack moved across ecosystems. It started with TanStack and Mistral AI and later showed signs of spreading to UiPath, Guardrails AI, and OpenSearch. The spread happened through stolen CI/CD credentials, which gave attackers access to software build pipelines. Security teams from Socket and Aikido tracked the activity. They reported hundreds of compromised packages showing up in legitimate repositories. Many looked normal at first glance, which slowed detection in the early phase.
Inside OpenAI, engineers noticed behavior linked to credential theft and unauthorized repository access. Some data was pulled out, but only a small amount, according to the company. The rest of the systems stayed untouched. Even with the limited exposure, OpenAI moved quickly. Code-signing certificates for macOS applications were rotated as a precaution. Users were told to update their apps before June 12, 2026.
There is also a wider knock-on effect. Any older macOS builds signed with the previous certificates may stop working after that date. Some downloads could also be blocked by Apple’s security checks once the revocation fully kicks in. OpenAI brought in an external forensics team to help map the breach and confirm containment. Part of the response includes blocking notarization for any macOS apps tied to the affected certificates. That step is meant to prevent fake or modified apps from passing as official releases.
Windows and iOS users are not impacted. OpenAI says no action is required on those platforms. The company is still reviewing logs and repository activity to understand how far the credential access went. For now, it describes the impact as narrow but serious enough to require full certificate rotation and external review.
Supply chain attacks like this have become more common in open-source ecosystems. A single compromised dependency can ripple across multiple tools and companies. This case shows how quickly that spread can happen when build systems and credentials are exposed.
OpenAI says its core systems remain secure and continues to monitor for any related activity.
