May 15
/
Latest News
OpenAI Confirms Employee Devices Hit in TanStack Supply Chain Attack
OpenAI has confirmed that two employee devices inside its corporate environment were compromised as part of the Mini Shai‑Hulud supply chain attack linked to TanStack, marking the second time in two months the company has been forced to rotate its macOS code‑signing certificates.
The company emphasized that no user data, production systems, or proprietary models were accessed or altered. According to OpenAI, the attackers gained access to a limited set of internal source‑code repositories after malware executed credential‑stealing behavior consistent with public reporting on the Shai‑Hulud campaign. Only a small amount of credential material was exfiltrated, and no other code or sensitive information was affected.
The company said it moved quickly to isolate affected systems, revoke sessions, rotate credentials, restrict deployment workflows, and audit internal activity. Because the compromised repositories included signing certificates for macOS, iOS, and Windows products, OpenAI revoked the certificates and issued new ones. macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas must update their applications before June 12, 2026, when older certificates will be blocked by macOS protections. Windows and iOS users do not need to take action.
The incident follows an earlier certificate rotation in April, when a GitHub Actions workflow inadvertently pulled a malicious Axios library compromised by North Korean threat group UNC1069. OpenAI said both events highlight a broader trend: attackers are increasingly targeting shared software dependencies and CI/CD pipelines rather than individual companies.
The disclosure comes amid a wave of supply chain compromises tied to TeamPCP, which has breached hundreds of packages associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. TanStack said no maintainer credentials were stolen; instead, the attackers manipulated its CI pipeline to steal a publish token at the moment it was generated. TeamPCP has since launched a supply chain attack “contest” with a $1,000 Monero reward and is attempting to sell 5GB of internal Mistral AI source code.
Mistral AI confirmed that trojanized versions of its npm and PyPI SDKs were released due to the TanStack compromise and that one developer device was impacted, though its infrastructure remains intact.
Further analysis of the Shai‑Hulud malware revealed a hard‑coded command‑and‑control server and a fallback mechanism called FIRESCALE, which scans global GitHub commit messages for signed alternative servers. The malware exfiltrates data through three redundant channels, ensuring persistence even if one path is blocked. It also aggressively targets AWS credentials across all 19 availability zones, including restricted U.S. government regions.
Researchers also uncovered destructive behavior: on systems geolocated to Israel or Iran, the malware has a one‑in‑six chance of blasting audio at maximum volume before wiping accessible files. The malware exits on Russian‑locale systems, echoing previous TeamPCP campaigns that deployed “kamikaze” wipers against Kubernetes clusters.
Security analysts say the toolkit is unusually capable, harvesting environment variables, SSH keys, Docker credentials, and dotenv files while traversing entire home directories. The campaign underscores the growing fragility of modern software supply chains and the ease with which upstream compromises can cascade across the industry.
The company emphasized that no user data, production systems, or proprietary models were accessed or altered. According to OpenAI, the attackers gained access to a limited set of internal source‑code repositories after malware executed credential‑stealing behavior consistent with public reporting on the Shai‑Hulud campaign. Only a small amount of credential material was exfiltrated, and no other code or sensitive information was affected.
The company said it moved quickly to isolate affected systems, revoke sessions, rotate credentials, restrict deployment workflows, and audit internal activity. Because the compromised repositories included signing certificates for macOS, iOS, and Windows products, OpenAI revoked the certificates and issued new ones. macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas must update their applications before June 12, 2026, when older certificates will be blocked by macOS protections. Windows and iOS users do not need to take action.
The incident follows an earlier certificate rotation in April, when a GitHub Actions workflow inadvertently pulled a malicious Axios library compromised by North Korean threat group UNC1069. OpenAI said both events highlight a broader trend: attackers are increasingly targeting shared software dependencies and CI/CD pipelines rather than individual companies.
The disclosure comes amid a wave of supply chain compromises tied to TeamPCP, which has breached hundreds of packages associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. TanStack said no maintainer credentials were stolen; instead, the attackers manipulated its CI pipeline to steal a publish token at the moment it was generated. TeamPCP has since launched a supply chain attack “contest” with a $1,000 Monero reward and is attempting to sell 5GB of internal Mistral AI source code.
Mistral AI confirmed that trojanized versions of its npm and PyPI SDKs were released due to the TanStack compromise and that one developer device was impacted, though its infrastructure remains intact.
Further analysis of the Shai‑Hulud malware revealed a hard‑coded command‑and‑control server and a fallback mechanism called FIRESCALE, which scans global GitHub commit messages for signed alternative servers. The malware exfiltrates data through three redundant channels, ensuring persistence even if one path is blocked. It also aggressively targets AWS credentials across all 19 availability zones, including restricted U.S. government regions.
Researchers also uncovered destructive behavior: on systems geolocated to Israel or Iran, the malware has a one‑in‑six chance of blasting audio at maximum volume before wiping accessible files. The malware exits on Russian‑locale systems, echoing previous TeamPCP campaigns that deployed “kamikaze” wipers against Kubernetes clusters.
Security analysts say the toolkit is unusually capable, harvesting environment variables, SSH keys, Docker credentials, and dotenv files while traversing entire home directories. The campaign underscores the growing fragility of modern software supply chains and the ease with which upstream compromises can cascade across the industry.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.