Back

OpenAI Faces Supply Chain Attack via TanStack npm Library

Severity: Medium (Score: 57.8)

Sources: Technadu, Appleinsider, Openai, News.Az, Bleepingcomputer

Summary

OpenAI confirmed a security breach affecting two employee devices due to a supply chain attack linked to the TanStack npm library, part of a broader campaign called Mini Shai-Hulud. The attack involved the publication of 84 malicious package versions, which were executed via TanStack's legitimate release pipeline. OpenAI's investigation revealed that only limited credential material was exfiltrated from internal repositories, and no user data, production systems, or intellectual property were compromised. As a precaution, OpenAI is rotating its code-signing certificates, requiring macOS users to update their applications by June 12, 2026. Windows and iOS users are unaffected and do not need to take action. The incident highlights the growing risks associated with supply chain vulnerabilities in software development. Key Points: • OpenAI's breach involved two employee devices compromised through malicious TanStack npm packages. • No user data or production systems were compromised; only limited credential material was exfiltrated. • macOS users must update their applications by June 12, 2026, due to rotated code-signing certificates.

Key Entities

  • Data Breach (attack_type)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Worm (attack_type)
  • Mini Shai-Hulud (malware)
  • Shai-hulud (malware)
  • Shai-hulud 2.0 (malware)
  • Mini-Shai-Hulud (campaign)
  • Shai-Hulud Malware Campaign (campaign)
  • Aqua Security (company)
  • Guardrails AI (company)
  • Mistral AI (company)
  • OpenAI (company)
  • TanStack (company)
  • Axios (platform)
  • Android (platform)
  • Atlas (platform)
  • ChatGPT Desktop (platform)
  • Codex App (platform)
  • Bitwarden (tool)
  • OpenSearch (tool)
  • Codex CLI (tool)
  • Npm (tool)
  • SSH (tool)
  • North Korea (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • news.az (domain)
  • our.no (domain)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed