Openai Hit by TanStack Supply Chain Attack

OpenAI has revealed it was affected by the recent TanStack supply chain attack, which involved the exfiltration of credential material from internal source code repositories. The incident highlights ongoing risks in software supply chains and underscores the need for vigilance when relying on open source components. Although the breach was limited in scope, it provided attackers access to sensitive code-signing certificates and employee credentials, forcing OpenAI to take immediate remedial actions.

What Happened In The OpenAI Hit By TanStack Supply Chain Attack

On May 11, the TeamPCP hacking group exploited weaknesses in the TanStack package publishing process, releasing 84 malicious artifacts across 42 packages. This attack was part of a coordinated campaign that compromised over 170 packages within prominent NPM and PyPI namespaces. The attack also deployed a worm named Shai-Hulud, which infected developer devices downstream.

OpenAI was among the organizations impacted by this supply chain compromise. Two employee devices were infected, allowing attackers to steal credentials and other secret information from internal source code repositories accessible to these employees. Despite the breach, OpenAI confirmed that only limited credential material was taken and no customer data or intellectual property was accessed or modified.

The Vulnerability Explained In The OpenAI Hit By TanStack Supply Chain Attack

The root cause was a security flaw in the package publishing process of the TanStack open source development stack. This flaw enabled malicious actors to inject harmful artifacts into multiple packages distributed through popular package managers such as NPM and PyPI. The widespread nature of the attack made it challenging for downstream organizations to avoid exposure.

Developer devices infected by the Shai-Hulud worm served as a launchpad for further infiltration. In OpenAI’s case, two employee computers had not yet been updated with hardened security configurations, which would have blocked the malicious package downloads. This gap occurred during a phased transition prompted by a previous supply chain attack against OpenAI in March.

Who Is At Risk From The OpenAI Hit By TanStack Supply Chain Attack

The attack mainly affected developers using the TanStack open source packages on May 11 and downstream organizations whose employees had access to compromised developer devices or repositories. OpenAI employees who had access to specific internal repositories were at direct risk, as credential material stored within those repositories was exfiltrated.

Additionally, users of OpenAI applications on macOS, iOS, Windows, and Android platforms are indirectly affected. The compromised repositories included code-signing certificates for these products, which OpenAI has now revoked to prevent misuse. macOS users must update their OpenAI applications by June 12, 2026, to maintain secure and functional software.

What To Do Now After The OpenAI Hit By TanStack Supply Chain Attack

• OpenAI has rotated all credentials for affected repositories and revoked user sessions to block unauthorized access.
• Code deployment workflows were temporarily restricted to avoid further compromise during the investigation.
• The company has revoked all code-signing certificates linked to the compromised repositories and is re-signing applications across supported platforms.
• macOS users need to update OpenAI applications before the June 12, 2026 deadline to avoid losing updates or functionality.
• OpenAI is collaborating with platform providers to halt new notarizations using stolen certificates and to prevent malicious software distribution.
• Developers using TanStack packages should verify their dependencies and update to secure versions released after May 11, 2024.
• Organizations should strengthen endpoint security, enforce multi-factor authentication, and monitor for unusual repository access or package behavior.

Background On Supply Chain Attacks And OpenAI’s Response

Supply chain attacks have become a growing threat vector, exploiting trust in third-party components to compromise large software ecosystems. This attack follows a previous incident in March that involved the compromise of OpenAI’s macOS app signing certificates. The phased rollout of hardened security measures during that period left a window of vulnerability exploited in May.

OpenAI has taken swift action to mitigate risks and prevent future incidents. The company conducted a thorough review of all notarized software signed with previous certificates and found no evidence of unauthorized modifications or malicious software distribution. This incident emphasizes the importance of rapid security updates and continuous monitoring in protecting software supply chains.