TanStack Supply Chain Attack Compromises Two OpenAI Devices, Mandates macOS Updates

In a significant cybersecurity incident, OpenAI has reported that two employee devices were compromised due to the Mini Shai-Hulud supply chain attack targeting TanStack. This breach, however, did not result in unauthorized access to user data, production systems, or intellectual property. The company has taken immediate steps to mitigate the impact and secure its environment.

Incident Overview

Upon discovering the malicious activity, OpenAI swiftly initiated an investigation and containment process. The organization confirmed that the malware exhibited behaviors consistent with unauthorized access and credential-focused exfiltration within a limited subset of internal source code repositories accessible to the affected employees. OpenAI stated that only a small amount of credential material was successfully extracted from these repositories, with no other information or code compromised.

In response to the incident, OpenAI isolated the impacted systems, revoked user sessions, rotated credentials across the affected repositories, and temporarily restricted code-deployment workflows. A thorough audit of user and credential behavior was also conducted to ensure the integrity of their systems.

Certificate Revocation and User Impact

The repositories involved included signing certificates for iOS, macOS, and Windows products. Consequently, OpenAI has revoked these certificates and issued new ones. As a result, macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas must update their applications to the latest versions to maintain security. OpenAI emphasized that this precaution aims to prevent any potential risk of distributing counterfeit applications masquerading as legitimate OpenAI products. Users of Windows and iOS applications are not required to take any action.

The revoked certificates are scheduled to be invalidated on June 12, 2026. After this date, any new downloads or launches of applications signed with the previous certificate will be blocked by built-in macOS protections. Users are advised to apply updates before this cut-off date for optimal security.

Broader Implications of the Attack

This incident marks the second time in recent months that OpenAI has rotated its code-signing certificates for macOS. In mid-April 2026, the company had already taken similar measures following a GitHub Actions workflow that inadvertently downloaded a compromised Axios library linked to North Korean hacking group UNC1069.

OpenAI noted that the attack reflects a broader shift in the threat landscape, where attackers increasingly target shared software dependencies and development tools rather than focusing solely on individual companies. The interconnected nature of modern software ecosystems—comprising open-source libraries, package managers, and CI/CD infrastructure—means that vulnerabilities can propagate rapidly across organizations.

Ongoing Threats and Supply Chain Vulnerabilities

The timing of this incident coincides with TeamPCP’s ongoing supply chain attack campaign, which has affected numerous organizations, including TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. This campaign aims to distribute malware to downstream developers while stealing credentials to extend the scale of breaches.

TanStack clarified that no maintainer was phished, nor were passwords leaked or tokens stolen from accounts. Instead, the attackers engineered a sophisticated method that allowed their CI pipeline to inadvertently steal its own publish token at the moment of creation, exploiting a cache trusted by all parties involved.

In a troubling development, TeamPCP has announced a supply chain attack contest in collaboration with Breached cybercrime, offering participants a reward of $1,000 in Monero for compromising open-source packages using the Shai-Hulud worm. The group has also threatened to leak approximately 5GB of internal source code from Mistral AI unless a ransom of $25,000 is paid.

Technical Analysis of the Attack

Mistral AI confirmed that it was affected by the supply chain attack linked to TanStack, resulting in the release of trojanized versions of its npm and PyPI SDKs. Although a single developer device was compromised, there is no evidence to suggest that Mistral AI’s infrastructure was breached.

A deeper analysis of the modular Python toolkit delivered to Linux systems via the guardrails-ai and mistralai packages revealed that the primary command-and-control (C2) server address, 83.142.209[.]194, is hard-coded. If this primary C2 becomes unreachable, a fallback mechanism known as FIRESCALE is activated. This mechanism searches public GitHub commit messages globally for a signed alternative server URL, verified against an embedded RSA key.

The collection module responsible for harvesting Amazon Web Services (AWS) credentials targets all 19 availability zones, including those restricted to U.S. government agencies and defense contractors. Notably, the malware exhibits destructive behavior on machines located in Israel or Iran, activating audio playback at maximum volume and subsequently deleting all accessible files.

Conclusion

The ongoing supply chain attack campaigns highlight the vulnerabilities inherent in modern software development practices. As attackers increasingly exploit shared dependencies and development tools, organizations must remain vigilant and proactive in securing their environments. The recent incidents involving OpenAI and TeamPCP serve as a stark reminder of the evolving threat landscape and the critical importance of robust cybersecurity measures.

For further insights into the implications of these developments, refer to the original reporting source: thehackernews.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.