Executive Summary
OpenAI has confirmed that two employee devices within its corporate environment were compromised as a result of the TanStack supply chain attack, specifically through the Mini Shai-Hulud malware campaign orchestrated by the threat group TeamPCP. The incident led to the exfiltration of limited credential material from internal source code repositories accessible to the affected employees. OpenAI has stated that there is no evidence of unauthorized access to user data, production systems, or intellectual property. In response, OpenAI rapidly isolated impacted systems, revoked and rotated credentials, and initiated a comprehensive review of code-signing certificates, particularly for its macOS products. The attack is part of a broader campaign targeting open-source software dependencies and CI/CD (Continuous Integration/Continuous Deployment) pipelines, affecting multiple organizations in the AI and software development sectors. The incident underscores the increasing risk posed by sophisticated supply chain attacks and highlights the importance of robust security controls for software dependencies and development infrastructure. All information in this summary is based on direct disclosures from OpenAI and corroborated by independent technical analyses published by The Hacker News and The Register (https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html, https://www.theregister.com/security/2026/05/15/openai-caught-in-tanstack-npm-supply-chain-chaos-after-employee-devices-compromised/5241019).
Technical Information
The TanStack supply chain attack represents a highly sophisticated campaign leveraging the compromise of open-source package ecosystems, specifically targeting the npm (Node Package Manager) infrastructure. The attack was executed by the threat group TeamPCP and utilized the Mini Shai-Hulud worm, a self-propagating malware designed to infiltrate development environments and CI/CD pipelines.
The initial access vector involved the injection of malicious code into legitimate TanStack npm packages. Attackers exploited weaknesses in the CI/CD pipeline, specifically by manipulating the GitHub Actions workflow to steal publishing tokens at the moment of their creation. This allowed the attackers to publish trojanized versions of TanStack packages, which were then distributed to downstream developers and organizations, including OpenAI.
Upon installation of the compromised packages on two OpenAI employee devices, the malware executed credential-focused exfiltration activities. The Mini Shai-Hulud worm is capable of harvesting a wide range of credentials, including GitHub tokens, cloud secrets (such as AWS credentials), npm credentials, and CI/CD authentication material. The malware achieves this by reading memory from running processes, scanning for credential files across the filesystem, and extracting secrets from environment variables and Docker containers.
The exfiltrated data is encrypted and transmitted to attacker-controlled command-and-control (C2) infrastructure. The primary C2 server identified is 83.142.209[.]194, with fallback mechanisms in place, such as the FIRESCALE dead-drop redirect and the use of the victim's own GitHub repository for data exfiltration. This multi-tiered exfiltration strategy increases the resilience of the attack against network-based defenses.
The malware also exhibits destructive capabilities. On systems geolocated to Israel or Iran, there is a probabilistic trigger that causes the malware to play audio at maximum volume and delete all accessible files. Additionally, if a ransom token is revoked, the malware can initiate a destructive wipe routine. These behaviors are consistent with previous TeamPCP campaigns, such as the CanisterWorm attack on Kubernetes clusters.
Persistence is achieved through the installation of hooks in integrated development environments (IDEs) like VS Code and Claude Code, as well as through OS-level services such as systemd and launchctl. The malware also modifies startup scripts and schedules tasks to maintain its presence on infected systems.
The attack on OpenAI occurred during a phased rollout of new supply chain security controls, following a previous incident involving a malicious Axios library. The two compromised employee devices had not yet received the updated package management protections that would have blocked the malicious dependency. As a result, limited credential material was exfiltrated from internal repositories, prompting OpenAI to rotate all affected credentials and code-signing certificates.
The broader Mini Shai-Hulud campaign has impacted hundreds of packages across multiple organizations, including UiPath, Mistral AI, OpenSearch, and Guardrails AI. The attackers have demonstrated a focus on credential theft and the propagation of malware through trusted software supply chains, with the ultimate goal of enabling further breaches and, in some cases, deploying ransomware or destructive payloads.
Technical analysis has mapped the attack methods to several MITRE ATT&CK techniques, including T1195.002 (Supply Chain Compromise), T1059 (Command and Scripting Interpreter), T1552 (Unsecured Credentials), T1041 (Exfiltration Over C2 Channel), T1485 (Data Destruction), and T1550.001 (Use of Application Access Token). The campaign's infrastructure, including the 83.142.209[.]0/24 subnet, has been linked to multiple prior attacks attributed to TeamPCP.
The evidence supporting these findings includes malware hashes, C2 domain analysis, process trees, persistence artifacts, and direct disclosures from affected organizations. The attribution to TeamPCP is assessed with high confidence based on infrastructure reuse, campaign markers, and public claims by the threat group.
Affected Versions & Timeline
The attack specifically impacted TanStack npm packages, with 84 malicious versions spanning 42 @tanstack/ packages published after the attackers compromised the release infrastructure. OpenAI products affected include the macOS versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas*, due to the compromise of code-signing certificates stored in the impacted internal repositories.
The timeline of verified events is as follows: On March 31, 2026, a related supply chain compromise involving the Axios library occurred. In mid-April 2026, OpenAI rotated code-signing certificates in response to the Axios incident. On May 15, 2026, OpenAI publicly disclosed the TanStack supply chain attack affecting two employee devices. On May 16, 2026, additional technical analysis and infrastructure details were published by Hunt.io. The revocation of old macOS code-signing certificates is scheduled for June 12, 2026, after which users must update their apps to maintain functionality and security.
Threat Activity
The threat activity observed in this campaign is characterized by the abuse of trusted software supply chains to distribute malware to downstream targets. The attackers, identified as TeamPCP, engineered a sophisticated attack path that exploited implicit trust in CI/CD pipelines and open-source package managers. By compromising the TanStack release infrastructure, the attackers were able to inject malicious code into widely used npm packages, which were then installed by developers and organizations worldwide.
The Mini Shai-Hulud worm is designed for credential theft and propagation. It targets secrets stored in memory, files, environment variables, and cloud service metadata endpoints. The malware employs multiple exfiltration channels to ensure successful data theft even if some network paths are blocked. The campaign also includes destructive and ransomware payloads, with region-specific triggers for data wiping and audio playback.
The attackers have demonstrated a high level of operational security, including the use of aged infrastructure to avoid detection and the deployment of modular malware capable of adapting to different environments. The campaign has targeted sectors such as AI, software development, cloud infrastructure, and government/defense, as evidenced by the targeting of AWS GovCloud credentials.
OpenAI's rapid response included isolating affected systems, revoking and rotating credentials, restricting code deployment workflows, and auditing user and credential behavior. The company also revoked and reissued code-signing certificates for its macOS products to prevent the distribution of potentially malicious or unauthorized applications.
Mitigation & Workarounds
The following mitigation actions have been implemented or are recommended, prioritized by severity:
Critical: All users of affected OpenAI macOS products (ChatGPT Desktop, Codex App, Codex CLI, and Atlas) must update their applications to the latest versions before June 12, 2026. After this date, old code-signing certificates will be revoked, and apps signed with previous certificates will be blocked by macOS protections. This measure is essential to prevent the risk of fake or malicious app distribution.
High: Organizations should immediately audit their software supply chain security controls, with a focus on dependency management, CI/CD pipeline integrity, and credential storage practices. Implementing automated dependency scanning, restricting the use of untrusted packages, and enforcing least-privilege access to sensitive repositories are critical steps.
High: Rotate all credentials, tokens, and secrets that may have been exposed through compromised dependencies or development environments. This includes GitHub tokens, npm credentials, cloud service keys, and CI/CD authentication material.
Medium: Monitor for indicators of compromise, such as outbound connections to known C2 domains (e.g., 83.142.209[.]194), the presence of suspicious files like router_init.js, and anomalous package sizes or workflow modifications in development environments.
Medium: Enhance endpoint detection and response (EDR) capabilities to identify and contain malware persistence mechanisms, such as unauthorized systemd or launchctl services and IDE hooks.
Low: Educate development teams about the risks of supply chain attacks and the importance of verifying the integrity of open-source dependencies before use.
No action is required for Windows and iOS users of OpenAI products, as the revocation of code-signing certificates does not impact these platforms.
References
The Hacker News, May 15–16, 2026: https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html
The Register, May 15, 2026: https://www.theregister.com/security/2026/05/15/openai-caught-in-tanstack-npm-supply-chain-chaos-after-employee-devices-compromised/5241019
StepSecurity, May 11, 2026: https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
MITRE ATT&CK Techniques: https://attack.mitre.org/techniques/T1195/002/, https://attack.mitre.org/techniques/T1552/, https://attack.mitre.org/techniques/T1041/, https://attack.mitre.org/techniques/T1485/, https://attack.mitre.org/techniques/T1550/001/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their software supply chain. Our platform enables continuous visibility into vendor dependencies, automated detection of supply chain vulnerabilities, and actionable insights for remediation. For questions regarding this incident or to discuss how Rescana can support your supply chain security program, please contact us at ops@rescana.com.
