OpenAI confirmed that the recent TanStack supply chain attack compromised two employee devices and exposed credential material stored in internal source code repositories. The incident began after the TeamPCP hacking group abused weaknesses in the package publishing process to distribute 84 malicious packages tied to the TanStack open source development ecosystem.
Recently, the TeamPCP group launched a new wave of the Mini Shai-Hulud worm, compromising legitimate npm packages through hijacked GitHub Actions OIDC tokens. The malware spread through trusted release pipelines and even generated valid SLSA Level 3 attestations, making the malicious packages appear legitimate. Researchers say the worm steals secrets from CI/CD environments, targets more than 100 credential locations, installs persistence mechanisms in developer tools like VS Code and Claude Code, and spreads automatically to other packages controlled by compromised maintainers. The campaign has already affected packages linked to TanStack, UiPath, DraftLab, and others.
The recent TanStack supply chain attack also impacted OpenAI after two employee devices downloaded malicious packages tied to the Mini Shai-Hulud campaign. Attackers stole credential material and secrets from those systems, gaining access to a limited number of internal source code repositories connected to the affected employees.
OpenAI said the security breach had a limited impact and found no evidence that customer data, production systems, or intellectual property were compromised. The company responded by rotating exposed credentials, revoking active sessions, and temporarily tightening restrictions around code deployment workflows.
“We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access.” reads the post published by OpenAI. “We confirmed that only limited credential material was successfully exfiltrated from these code repositories and that no other information or code was impacted.”
The compromised repositories included code-signing certificates used for iOS, macOS, Windows, and Android applications. As a precaution, OpenAI revoked the certificates and began re-signing affected software packages.
“We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions.” continues the post. “This helps prevent any risk, however unlikely, of someone attempting to distribute a fake app that appears to be from OpenAI.”
The company warned that macOS users must update their OpenAI applications before June 12, 2026, or the software may stop receiving updates and could eventually stop functioning correctly.
OpenAI also coordinated with platform providers to block any attempt to abuse the stolen certificates for malicious notarization activities and reviewed previously signed software for signs of tampering.
“We have also reviewed all notarization of software using our previous certificates to confirm no unexpected software signing has occurred with these keys, and validated that our published software did not have unauthorized modifications.” states OpenAI. “We have found no evidence of compromise or risk to existing software installations.”
According to the company, the incident occurred during an ongoing migration to hardened configurations introduced after the earlier Axios supply chain attack. The two infected employee devices had not yet received the updated protections that likely would have blocked the malicious package downloads.
“This incident reflects a broader shift in the threat landscape: attackers are increasingly targeting shared software dependencies and development tooling rather than any single company.” concludes the company.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, supply chain attack)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。