OpenAI disclosed that a supply chain attack involving malicious packages in the TanStack ecosystem resulted in the compromise of two employee devices. The incident also led to the exposure of some credentials from internal source code repositories. The attack has been linked to the threat group TeamPCP, which abused the package publishing process to distribute 84 malicious npm packages as part of a malware campaign known as “Mini Shai-Hulud.”
Reports indicate that Mini Shai-Hulud stole GitHub Actions OIDC tokens to inject malware into CI/CD processes. The malware was also used to make malicious packages appear trustworthy. It was reportedly capable of creating valid SLSA Level 3 attestations, stealing secrets from CI/CD systems, searching for credentials across more than 100 locations, establishing persistence in development tools such as VS Code and Claude Code, and spreading to other packages maintained by compromised developers. The campaign had previously affected packages associated with TanStack, UiPath, and DraftLab.
OpenAI stated that the attackers were able to access some internal source code repositories using credentials stolen from employee devices. The company also found that information related to code-signing certificates for iOS, macOS, Windows, and Android had been accessed. In response, OpenAI revoked all affected certificates, rotated credentials, terminated active sessions, and began re-signing its software to reduce further risk. However, the company said it found no evidence that customer data, production systems, or intellectual property had been accessed. OpenAI also advised macOS users to update OpenAI applications to the latest version before June 12, 2026, to avoid potential security and future update issues. The company noted that the incident reflects a growing trend in cyber threats, where attackers increasingly target software dependencies, development tools, and shared build environments rather than directly attacking the target organization.