OpenAI Discloses Two Employee Devices Compromised in TanStack Supply Chain Attack

TL;DR OpenAI confirmed that two employee devices were compromised through the Mini Shai-Hulud supply chain attack targeting TanStack, resulting in limited credential exfiltration from internal code repositories. No production systems, user data, or intellectual property were affected. The company has revoked and reissued iOS, macOS, and Windows code-signing certificates, requiring macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas to update before June 12, 2026, when old certificates will be revoked.

What happened

OpenAI identified malicious activity on two employee devices that had accessed internal source code repositories. The compromise occurred through the TanStack supply chain attack, in which threat actors engineered a path to steal the CI pipeline's publish token at the moment of creation through a trusted cache mechanism.

The malware exhibited publicly documented behavior, including unauthorized access and credential-focused exfiltration. According to OpenAI, only limited credential material was successfully transferred from the impacted repositories; no other information or code was compromised. Upon detection, OpenAI isolated the affected systems and identities, revoked user sessions, rotated all credentials across impacted repositories, temporarily restricted code-deployment workflows, and audited user and credential behavior.

Because the compromised repositories contained signing certificates for iOS, macOS, and Windows products, OpenAI revoked the existing certificates and issued new ones. This action is being taken to prevent the potential distribution of counterfeit applications appearing to originate from OpenAI.

The incident marks the second time in two months that OpenAI has rotated macOS code-signing certificates. In mid-April 2026, following a GitHub Actions workflow compromise, the company rotated certificates after a malicious Axios library was downloaded on March 31. That incident involved UNC1069, a North Korean hacking group.

The broader campaign affecting OpenAI is part of a wider TanStack supply chain attack orchestrated by TeamPCP, which has compromised hundreds of packages associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI.

Why it matters

For developers and infrastructure teams in the region, this incident demonstrates several concrete risks:

Credential harvesting at scale: The malware captures environment variables, SSH keys and configuration files, dotenv files, and Docker container credentials. Analysis revealed that the credential collection module targets all 19 AWS availability zones, including restricted GovCloud regions reserved for U.S. government and defense contractors.

Certificate revocation deadline: macOS users operating ChatGPT Desktop, Codex App, Codex CLI, or Atlas must update before June 12, 2026. After that date, built-in macOS protections will block downloads and launches of applications signed with the revoked certificates.

Sophisticated attack chain: TanStack confirmed that no maintainer was phished, had a password leak, or had credentials stolen. Instead, attackers engineered the CI pipeline to steal its own publish token at creation time through a trusted cache mechanism—an approach that circumvents conventional credential protection.

Supply chain propagation: OpenAI notes that modern software depends on interconnected open-source libraries, package managers, and CI/CD infrastructure, meaning vulnerabilities introduced upstream propagate rapidly across organizations and downstream users.

Geo-targeted destructive payloads: The malware contains conditional logic that activates destructive behavior on machines geolocated to Israel or Iran, triggering audio playback at maximum volume followed by file deletion on a 1-in-6 probability basis.

Affected systems and CVEs

OpenAI products requiring immediate macOS updates:

• ChatGPT Desktop
• Codex App
• Codex CLI
• Atlas

Other confirmed affected products (broader campaign):

• TanStack
• Mistral AI npm and PyPI SDKs
• UiPath packages
• OpenSearch packages
• Guardrails AI (guardrails-ai and mistralai packages)

CVE identifiers: No CVE assigned at the time of publication.

What to do

• Update macOS versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas to the latest versions before June 12, 2026.
• Monitor for blocked application launches on macOS after the certificate revocation date if updates are not applied.
• Audit environment variables, SSH keys, configuration files, and Docker credentials on any systems that may have executed the compromised packages.
• Review AWS access logs across all 19 availability zones, particularly GovCloud regions, for unauthorized activity.
• Rotate all credentials and API tokens that may have been exposed through development environments.
• Restrict CI/CD pipeline permissions to reduce the window for publish-token theft through cache mechanisms.
• Review internal source code repositories for any unauthorized access or modifications.

Open questions

• The source does not specify whether the 5GB of internal source code threatened by TeamPCP from Mistral AI was ultimately leaked or remains unreleased.
• The exact scope of TeamPCP's broader supply chain campaign beyond the named vendors (TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI) is not documented.
• The total number of downstream developers and organizations affected by trojanized TanStack packages remains unspecified.
• The identity and number of impacted developers at organizations other than OpenAI and Mistral AI is not disclosed.
• It is unclear whether the mid-April GitHub Actions workflow compromise by UNC1069 was coordinated with the TanStack campaign or represents a separate attack vector.

Source

TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates