Executive Summary
OpenAI has confirmed that two employee devices within its corporate environment were compromised as part of the TanStack supply chain attack, specifically through the Mini Shai-Hulud malware campaign orchestrated by the TeamPCP threat group. The breach resulted in unauthorized access and credential-focused exfiltration activity within a limited subset of internal source code repositories accessible to the affected employees. OpenAI has stated that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner. The incident necessitated the revocation and re-issuance of code-signing certificates for macOS, iOS, and Windows products, with a mandatory update for macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas before June 12, 2026. The attack is part of a broader campaign targeting open-source software dependencies and CI/CD pipelines, affecting hundreds of npm and PyPI packages and posing significant risks to organizations relying on these ecosystems. OpenAI responded by isolating impacted systems, rotating credentials, restricting deployment workflows, and conducting a forensic investigation. The campaign demonstrates the increasing sophistication and scale of supply chain attacks, with sector-specific implications for AI, cloud, and government environments. All information in this summary is directly supported by the referenced technical sources.
Technical Information
The TanStack supply chain attack represents a sophisticated compromise of the software development lifecycle, leveraging weaknesses in CI/CD (Continuous Integration/Continuous Deployment) pipelines and open-source package management. The attack was executed by the TeamPCP threat group, which exploited the TanStack project's GitHub Actions workflows and CI/CD configuration to inject malicious code into legitimate package releases. This was achieved without direct credential theft or phishing of maintainers; instead, the attackers engineered a scenario where the CI pipeline itself exfiltrated its own publish token via a trusted cache, enabling the publication of trojanized npm and PyPI packages through standard release channels (The Hacker News, May 15–16, 2026).
The primary malware family used in this campaign is Mini Shai-Hulud, which was distributed via compromised packages. The malware is modular and highly capable, with features including credential harvesting (GitHub tokens, npm publish tokens, AWS credentials—including AWS GovCloud, Kubernetes secrets, SSH keys, and dotenv files), environment variable collection, Docker credential extraction, and destructive payloads. Persistence was established on developer endpoints by modifying VS Code auto-run tasks and Claude Code hooks, allowing the malware to survive package removal (BleepingComputer, May 14, 2026).
Exfiltration of stolen data was performed through a hard-coded command-and-control (C2) server at 83.142.209[.]194. If the primary C2 was unreachable, a fallback mechanism called FIRESCALE was activated, which searched public GitHub commit messages for signed alternative C2 URLs, verified against an embedded 4096-bit RSA key. As a last resort, exfiltration could occur via the victim’s own GitHub repository. This multi-tiered approach ensured resilience against single-point blocking (The Hacker News, May 15–16, 2026).
The malware also contained a destructive component: on systems geolocated to Israel or Iran, there was a one-in-six chance that the malware would play loud audio at maximum volume and then recursively delete all accessible files. The malware was programmed to exit on systems with a Russian locale, indicating selective targeting and possible geopolitical motivations.
The attack on OpenAI was limited to two employee devices, with unauthorized access observed in a subset of internal source code repositories. Only limited credential material was exfiltrated, and there is no evidence that these credentials were used in further attacks. However, the impacted repositories included signing certificates for macOS, iOS, and Windows products, necessitating the revocation and re-issuance of these certificates. OpenAI responded by isolating affected systems and identities, revoking user sessions, rotating all credentials across impacted repositories, temporarily restricting code-deployment workflows, and auditing user and credential behavior. A forensic investigation was conducted with the assistance of a third-party incident response firm (BleepingComputer, May 14, 2026).
The broader campaign affected hundreds of npm and PyPI packages, with downstream impact on organizations and developers relying on these dependencies. The attackers leveraged stolen GitHub and npm credentials to compromise maintainer accounts, inject malicious payloads into package tarballs, and publish new trojanized package versions to repositories. The campaign also targeted AWS GovCloud credentials, posing risks to U.S. government agencies and defense contractors.
The infrastructure used by TeamPCP included multiple C2 servers within the 83.142.209[.]0/24 subnet, with evidence of infrastructure aging (provisioning C2 IPs months in advance to accumulate a clean history). The same infrastructure was used in previous attacks, including the LiteLLM PyPI compromise, Trivy scanner hijack, Checkmarx KICS attack, and Jenkins AST Plugin backdoor. TeamPCP is known for running a public contest to incentivize further supply chain attacks using the Shai-Hulud worm, and for extortion attempts involving the sale of stolen source code.
The technical sophistication of the attack is further demonstrated by the malware’s ability to establish persistence, evade detection, and execute destructive actions based on geolocation. The campaign reflects a broader shift in the threat landscape, with attackers increasingly targeting shared software dependencies and development tooling rather than individual companies, enabling rapid and widespread propagation of vulnerabilities across organizations.
Affected Versions & Timeline
The attack primarily impacted TanStack npm and PyPI packages, with downstream effects on projects and organizations that integrated these dependencies. OpenAI’s internal source code repositories accessible to the two compromised employee devices were affected, specifically those containing signing certificates for macOS, iOS, and Windows products.
The timeline of verified events is as follows: On March 31, 2026, a related incident occurred when a malicious Axios library was downloaded via a GitHub Actions workflow, attributed to the UNC1069 group. In early May 2026, the TanStack, Mistral AI, and other projects were compromised via CI/CD pipeline abuse. On May 14–15, 2026, OpenAI disclosed the breach, rotated certificates, and issued a macOS update advisory. The deadline for macOS users to update OpenAI apps before certificate revocation is June 12, 2026. After this date, new downloads and launches of apps signed with the previous certificate will be blocked by built-in macOS protections (The Hacker News, May 15–16, 2026; BleepingComputer, May 14, 2026).
Threat Activity
The TeamPCP threat group orchestrated the attack, leveraging advanced techniques to compromise the TanStack CI/CD pipeline and distribute the Mini Shai-Hulud malware via legitimate package releases. The attackers exploited weaknesses in GitHub Actions workflows and CI/CD configuration, enabling the CI pipeline to exfiltrate its own publish token and publish trojanized packages. The malware targeted developer and cloud credentials, established persistence on endpoints, and included destructive payloads for specific geolocations.
The campaign affected hundreds of npm and PyPI packages, with downstream impact on projects such as Mistral AI, UiPath, Guardrails AI, OpenSearch, and OpenAI. The attackers used stolen credentials to compromise maintainer accounts, inject malicious payloads, and publish new package versions. The malware’s exfiltration mechanisms included a hard-coded C2 server, the FIRESCALE fallback using public GitHub commit messages, and exfiltration to the victim’s own GitHub repository.
The infrastructure used by TeamPCP was provisioned months in advance and reused across multiple campaigns, including the LiteLLM PyPI compromise, Trivy scanner hijack, Checkmarx KICS attack, and Jenkins AST Plugin backdoor. The group also ran a public contest to incentivize further supply chain attacks and engaged in extortion attempts involving the sale of stolen source code.
The malware’s destructive component targeted systems in Israel and Iran, with a one-in-six chance of triggering a wiper that played loud audio and deleted all accessible files. The malware exited on Russian-locale systems, indicating selective targeting. The campaign demonstrates a high level of technical sophistication, resilience, and intentionality, with significant implications for organizations relying on open-source software and CI/CD pipelines.
Mitigation & Workarounds
The following mitigation actions have been implemented or are recommended, prioritized by severity:
Critical: All macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas must update their applications to the latest versions before June 12, 2026. After this date, applications signed with the previous certificate will be blocked by macOS protections, and users may be unable to launch or update affected apps. This action is necessary to prevent the risk of malicious actors distributing fake apps using compromised certificates (The Hacker News, May 15–16, 2026; BleepingComputer, May 14, 2026).
High: Organizations should immediately rotate all credentials associated with affected repositories, including GitHub tokens, npm publish tokens, AWS credentials, Kubernetes secrets, SSH keys, and dotenv files. Audit all user and credential behavior for signs of unauthorized access or exfiltration.
High: Review and harden CI/CD pipeline configurations, especially GitHub Actions workflows, to prevent abuse of publish tokens and other sensitive credentials. Implement least-privilege access, restrict token scope, and monitor for anomalous activity within CI/CD environments.
Medium: Conduct a comprehensive forensic investigation of all systems and repositories that may have integrated affected TanStack or related npm/PyPI packages. Remove any trojanized packages and verify the integrity of all dependencies.
Medium: Monitor for indicators of compromise associated with the Mini Shai-Hulud malware, including connections to C2 infrastructure (83.142.209[.]194, .11, .203), modifications to VS Code auto-run tasks, and unauthorized credential access or exfiltration.
Low: Educate development and security teams about the risks of supply chain attacks, the importance of dependency management, and best practices for securing CI/CD pipelines and open-source integrations.
No action is required for Windows and iOS users of OpenAI applications, as these platforms are not impacted by the certificate rotation.
References
The following primary sources provide direct technical evidence and detailed analysis of the incident:
https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their software supply chain and vendor ecosystem. Our platform enables continuous visibility into open-source dependencies, CI/CD pipeline exposures, and credential management practices, supporting proactive detection and mitigation of supply chain threats. For questions regarding this incident or to discuss supply chain risk management strategies, contact us at ops@rescana.com.
