OpenAI Responds to TanStack npm Supply Chain Attack

On May 11, 2026, the open-source library TanStack npm was compromised as part of the Mini Shai-Hulud supply chain attack. Two employee devices at OpenAI were impacted, leading to unauthorized access and credential exfiltration from a limited subset of internal source code repositories. OpenAI found no evidence of customer data, user data, or intellectual property compromise. The impacted repositories included code-signing certificates for iOS, macOS, and Windows products. As a precaution, OpenAI is rotating certificates and will revoke the old certificate on June 12, 2026, requiring macOS users to update their apps by that date. Windows and iOS users need no action. OpenAI has blocked further notarization with the impacted certificate and validated that no unauthorized software signing occurred. The company accelerated deployment of security controls after the Axios incident, including hardening CI/CD credentials and package manager configurations. The two impacted devices lacked these updated controls. OpenAI is coordinating with platform providers to prevent misuse.