OpenAI Discloses Local Machine Compromises Following Multi-Stage TanStack Supply Chain Attack

OpenAI has revealed that two of its employee devices were affected by the Mini Shai-Hulud supply chain attack on TanStack. Despite this breach, OpenAI assured that no user data, production systems, or intellectual property were compromised. The company acted swiftly to investigate and contain the threat, observing unauthorized access and credential exfiltration activities in a limited subset of internal source code repositories accessible to the affected employees. The AI company stated that only a limited amount of credential material was transferred from these repositories, with no other information or code being impacted. Upon discovering the malicious activity, OpenAI took immediate actions to secure its systems, including isolating affected systems, revoking user sessions, rotating credentials, restricting code-deployment workflows, and auditing user and credential behavior. Due to the attack, OpenAI revoked and reissued signing certificates for iOS, macOS, and Windows products. This measure was taken to prevent the risk of distributing fake apps under OpenAI’s name. macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas are required to update their apps, while Windows and iOS users do not need to take any action. The revoked certificates will be invalidated by June 12, 2026, after which apps signed with them will be blocked by macOS protections. This incident marks the second time OpenAI has rotated its macOS code-signing certificates in recent months. In April 2026, OpenAI had to rotate certificates after a GitHub Actions workflow led to the download of a malicious library compromised by a North Korean hacking group, UNC1069. OpenAI noted that this reflects a broader shift in the threat landscape, where attackers target shared software dependencies and development tools rather than individual companies. The attack on OpenAI is part of a larger campaign by TeamPCP, which has compromised numerous packages associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. TeamPCP has also announced a supply chain attack contest, offering a $1,000 reward in Monero for compromising open-source packages using the Shai-Hulud worm. The group has threatened to leak 5GB of internal source code from Mistral AI unless a $25,000 ransom is paid. Mistral AI confirmed it was affected by the supply chain attack, resulting in trojanized versions of its npm and PyPI SDKs. The attack impacted a single developer device, but there is no evidence of a breach in its infrastructure. The malware delivered through this attack includes a hard-coded primary command-and-control server, with a fallback mechanism called FIRESCALE if the primary server becomes unreachable. The malware campaign also exhibits destructive behavior, particularly targeting machines in Israel or Iran. In these regions, the malware can activate audio playback at maximum volume and delete all accessible files. These actions mirror previous attacks by TeamPCP, indicating a deliberate and sophisticated operation. The malware is capable of capturing a wide range of credentials and environment variables, showcasing its advanced capabilities.