OpenAI Faces Supply Chain Attack via TanStack npm Library

OpenAI Faces Supply Chain Attack via TanStack npm Library

First seen 14 May 2026, 10:27 UTC OpenaiNews.AzThenextwebTipranksTechnadu+28 85% similarity 57.8

Article Content

Browse articles
ThreatCluster

OpenAI confirmed a security breach affecting two employee devices due to a supply chain attack linked to the TanStack npm library, part of a broader campaign called Mini Shai-Hulud. The attack involved the publication of 84 malicious package versions, which were executed via TanStack's legitimate release pipeline. OpenAI's investigation revealed that only limited credential material was exfiltrated from internal repositories, and no user data, production systems, or intellectual property were compromised. As a precaution, OpenAI is rotating its code-signing certificates, requiring macOS users to update their applications by June 12, 2026. Windows and iOS users are unaffected and do not need to take action. The incident highlights the growing risks associated with supply chain vulnerabilities in software development.

Key Points: • OpenAI's breach involved two employee devices compromised through malicious TanStack npm packages. • No user data or production systems were compromised; only limited credential material was exfiltrated. • macOS users must update their applications by June 12, 2026, due to rotated code-signing certificates.

ThreatCluster AI

Timeline

2026-05-11
Malicious TanStack packages published
84 malicious versions of TanStack packages were published within a six-minute window, exploiting the legitimate release pipeline.
TechCrunch
2026-05-13
OpenAI discloses security incident
OpenAI confirmed the security breach and stated that no user data or systems were compromised.
OpenAI
2026-05-14
OpenAI requires macOS app updates
OpenAI announced that macOS users must update their apps by June 12 due to rotated signing certificates.
Appleinsider

Community

Browse all →