OpenAI has disclosed details of its response to the recent TanStack npm supply chain attack, confirming that two employee devices were affected during the broader malware campaign known as Mini Shai-Hulud. The company said it found no evidence that customer data, production systems, or intellectual property were compromised during the incident.
The disclosure comes as software supply chain attacks continue to target widely used open-source dependencies and developer tooling. OpenAI stated that the attack involved a compromised version of the popular open-source library TanStack npm, which was used in parts of its internal environment.
According to the company, the incident was identified on May 11, 2026 UTC. OpenAI said it quickly launched an investigation, isolated affected systems, revoked sessions, rotated credentials, and temporarily restricted parts of its code deployment workflows as part of its containment efforts.
TanStack npm Supply Chain Attack Hit Two Employee Devices
OpenAI said the malware activity was limited to two employee devices within its corporate environment. During the investigation, the company observed behavior consistent with publicly reported details of the Mini Shai-Hulud malware campaign, including credential theft and unauthorized access attempts involving a limited number of internal source code repositories.
The company clarified that only a small amount of credential material was successfully exfiltrated and that no customer information or application code was affected.
OpenAI also engaged a third-party digital forensics and incident response firm to support the investigation and remediation process.
The impacted repositories included code-signing certificates used for OpenAI products across macOS, Windows, iOS, and Android platforms. As a precaution, the company is rotating those certificates and re-signing its applications with updated credentials.
macOS Users Required to Update OpenAI Apps
As part of the response to the TanStack npm supply chain attack, OpenAI is requiring all macOS users to update their applications before June 12, 2026.
The company warned that older macOS versions signed with previous certificates may stop functioning after that date because Apple’s security protections will block applications signed with the outdated credentials once the certificates are fully revoked.
Affected macOS applications include:
- ChatGPT Desktop
- Codex App
- Codex CLI
- Atlas
OpenAI said users can safely update through built-in application update mechanisms or official download pages. The company also warned users not to install apps from links shared through emails, messages, advertisements, or third-party download websites.
The company emphasized that it has not detected any malicious software signed using OpenAI certificates. It also confirmed that existing software installations were reviewed and no unauthorized modifications were identified.
No Impact to Customer Passwords or API Keys
In its FAQ, OpenAI stated that customer passwords, API keys, and user data were not exposed during the incident. The company also said it found no evidence that attackers used compromised credentials for follow-on access or further malicious activity.
Windows and iOS users are not required to take immediate action, though OpenAI noted that all applications are being re-signed with new certificates as part of the broader remediation effort.
The company explained that it delayed full certificate revocation until June 12 to avoid disrupting legitimate users. OpenAI said it has already worked with platform providers to block any new notarization attempts using the impacted certificates, reducing the likelihood of fake applications being distributed as legitimate OpenAI software.
OpenAI Highlights Growing Risk of Software Supply Chain Attacks
The company said the TanStack npm supply chain attack reflects the growing cybersecurity risks tied to modern software ecosystems, where organizations rely heavily on shared open-source libraries, package managers, and CI/CD infrastructure.
OpenAI noted that it had already been deploying additional security controls before the incident, including stricter package management protections, enhanced validation of third-party components, and stronger safeguards around sensitive CI/CD credentials.
However, the company acknowledged that the two affected employee devices had not yet received the updated security configurations that could have prevented the malicious package from being downloaded.
The incident adds to increasing industry concerns around software supply chain security, especially as threat actors continue targeting trusted development tools and widely used open-source packages to gain access to enterprise environments.
