TanStack supply-chain hack hits two OpenAI devices

Two OpenAI employee devices were compromised by the Mini Shai-Hulud supply-chain malware that targeted TanStack, resulting in limited credential exfiltration from a small set of internal source code repositories. OpenAI reported no user data, production systems, or intellectual property were accessed or modified without authorization.

OpenAI detected the activity, investigated, contained affected systems, and isolated impacted identities. The company revoked user sessions, rotated credentials in the impacted repositories, temporarily restricted code-deployment workflows and audited user and credential behavior. Repositories accessed by the malware included signing certificates for iOS, macOS and Windows builds; OpenAI revoked those certificates and issued new ones.

Because macOS apps signed with the older certificate will be blocked by built-in macOS protections after revocation, OpenAI asked macOS users to update ChatGPT Desktop, Codex App, Codex CLI and Atlas before the certificates are revoked on June 12, 2026. Windows and iOS users were told they do not need to take action. OpenAI rotated its macOS code-signing certificates in mid-April after a GitHub Actions workflow used to sign macOS apps downloaded a compromised Axios library on March 31 that had links to the UNC1069 group.

TanStack described how the attacker abused a continuous integration pipeline and a trusted cache to obtain a publish token at the moment it was created. “Just to be clear, no maintainer was phished, had a password leak, or a token stolen from their account,” TanStack wrote, adding that the attacker engineered a path where the CI pipeline exposed its own publish token through a trusted cache.

The activity has been tied to a broader campaign by a group calling itself TeamPCP. The group has claimed responsibility for trojanized packages across npm, PyPI and other registries and announced a contest that offers payment for further compromises. Mistral AI confirmed trojanized versions of its npm and PyPI SDKs were released and said one developer device was impacted; the company reported no evidence of an infrastructure breach.

Technical analysis shows the malware uses a multi-tiered command-and-control design. Hunt.io reported a hard-coded primary C2 server address of 83.142.209[.]194 and a fallback mechanism called FIRESCALE. When the primary C2 is unavailable, the malware searches public GitHub commit messages for a signed alternative server URL verified against an embedded 4,096-bit RSA key. Exfiltration follows three paths in sequence: the primary C2, the FIRESCALE dead-drop redirect, and the victim’s own GitHub repository.

Researchers also found the toolkit aggressively harvests credentials and environment data. The collection module targets all 19 Amazon Web Services availability zones, including the two GovCloud regions. The malware captures environment variables, SSH keys and configuration, dotenv files, and credentials from running Docker containers. Some variants include destructive actions: on machines geolocated to Israel or Iran the malware can play loud audio and delete accessible files with a probability gate, and other variants were detected on systems using a Russian locale.

OpenAI framed the incident as part of an increase in attacks focused on shared dependencies and development tooling. “This incident reflects a broader shift in the threat landscape: attackers are increasingly targeting shared software dependencies and development tooling rather than any single company,” OpenAI wrote. The company said it has taken steps to limit risk while it completes its review.