OpenAI has confirmed that a recent supply chain attack linked to malicious packages within the TanStack open source ecosystem affected two employee devices and resulted in the exposure of credential material stored in internal source code repositories. The company disclosed that the incident was tied to a wider malware campaign involving compromised npm packages distributed through weaknesses in package publishing mechanisms. According to OpenAI, attackers gained access to a limited number of internal repositories connected to the impacted employees, though the company stated there was no evidence of exposure involving customer data, production systems, or intellectual property.
The attack has been associated with the TeamPCP hacking group, which researchers say launched a new wave of the Mini Shai Hulud worm targeting software development environments. The malware campaign reportedly compromised legitimate npm packages by abusing hijacked GitHub Actions OpenID Connect tokens, allowing malicious code to move through trusted software release pipelines. Researchers explained that the campaign was able to generate valid SLSA Level 3 attestations, making infected packages appear authentic and difficult to identify. Security experts stated that the worm is designed to steal sensitive information from continuous integration and continuous deployment environments while targeting more than 100 credential locations. It also establishes persistence in developer tools such as VS Code and Claude Code and can spread automatically to additional packages controlled by compromised maintainers. Reports indicate that packages linked to TanStack, UiPath, DraftLab, and several other software projects have already been affected by the campaign.
OpenAI revealed that the security incident occurred after two employee devices downloaded malicious packages associated with the Mini Shai Hulud malware operation. The attackers reportedly extracted credential material and secrets from the infected systems, leading to unauthorized access to a limited subset of internal source code repositories. In a public statement, the company said it observed activity consistent with the malware’s documented behavior, including credential focused exfiltration and unauthorized access within repositories accessible to the affected employees. OpenAI stressed that only limited credential material was successfully extracted and no source code or additional internal information was impacted. In response, the company rotated compromised credentials, revoked active sessions, and temporarily implemented tighter controls around code deployment workflows to reduce further risk.
The compromised repositories included code signing certificates used across iOS, macOS, Windows, and Android applications. As a precautionary measure, OpenAI revoked the affected certificates and started re signing software packages to ensure software integrity. The company also warned macOS users to update OpenAI applications before June 12, 2026, noting that outdated applications could stop receiving updates and may eventually experience functionality issues. OpenAI further coordinated with platform providers to prevent misuse of stolen certificates for malicious notarization attempts and completed a review of previously signed software to detect any unauthorized modifications. According to the company, no signs of tampering or compromise were found in released software installations. OpenAI added that the breach took place during an ongoing migration toward hardened security configurations introduced after the earlier Axios supply chain incident, noting that the two affected employee devices had not yet received protections that may have prevented the malicious package downloads. The company also emphasized that attackers are increasingly focusing on shared software dependencies and developer tooling as part of a broader shift in cybersecurity threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
