OpenAI: internal data compromised after installation of the booby-trapped TanStack library
OpenAI confirmed in May 2026 that two employee devices were compromised through the TanStack npm supply-chain attack, allowing attackers to exfiltrate limited authentication credentials from internal code repositories that contained its software signing certificates.
- Victim
- OpenAI
On 15 May 2026, OpenAI β the San Francisco AI lab behind ChatGPT β confirmed it had been caught up in a software supply-chain attack targeting the widely used TanStack npm library ecosystem. Around 11 May 2026, attackers behind a campaign dubbed "Mini Shai-Hulud" published malicious versions of dozens of @tanstack/* packages; when two OpenAI employees installed or updated the booby-trapped library, malware ran in their development environments.
The malicious code was built to harvest secrets from developer and CI environments β cloud credentials, Kubernetes and Vault tokens, npm and GitHub tokens, and SSH keys. On the two affected machines, the attackers carried out credential-focused exfiltration against a limited set of internal repositories reachable from those devices. Critically, some of those repositories held OpenAI's software signing certificates for macOS, Windows, iOS, and Android.
Data and assets involved:
- Limited authentication credentials from internal code repositories
- Internal repository contents accessible to the two affected employees
- Software signing certificates for macOS, Windows, iOS, and Android present in those repos
- No evidence of access to user data, production systems, AI models, or intellectual property
OpenAI isolated the affected systems, revoked the exposed credentials and user sessions, and renewed all of its software signing certificates, republishing its applications under new signatures. Because old certificates are being fully revoked on 12 June 2026, macOS users were instructed to update ChatGPT Desktop, the Codex app, Codex CLI, and Atlas before that date. OpenAI said it found no evidence of unauthorized software modification or of malicious applications distributed using its certificates.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/openai-des-donnees-internes-compromises-apres-linstallation-de-la-bibliotheque-piegee-tanstack/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/openai-confirms-security-breach-in-tanstack-supply-chain-attack/
- theregister.comhttps://www.theregister.com/security/2026/05/15/openai-caught-in-tanstack-npm-supply-chain-chaos-after-employee-devices-compromised/5241019
- thehackernews.comhttps://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html