OpenAI has disclosed the impact of the recent TanStack supply chain attack, warning that credential material was exfiltrated from internal source code repositories.
The open source web application development stack TanStack was hit on May 11, when the TeamPCP hacking group exploited security weaknesses in the package publishing process to release 84 malicious artifacts across 42 packages.
Over 170 packages across several high-profile NPM and PyPI namespaces were compromised on the same day as part of a coordinated campaign. Developer devices were infected with the Shai-Hulud worm.
OpenAI was one of the organizations affected downstream. Two employee devices were infected as part of the attack, and credentials and other secrets were exfiltrated from them.
Despite its limited scope, the compromise granted the attackers access to several internal source code repositories that the two OpenAI employees had access to.
“We confirmed that only limited credential material was successfully exfiltrated from these code repositories and that no other information or code was impacted,” OpenAI says.
The company says it has rotated credentials across all affected repositories, revoked user sessions, and temporarily restricted code-deployment workflows. No customer data or intellectual property was affected in the attack, it says.
The compromised repositories contained code-signing certificates for iOS, macOS, Windows, and Android products, and OpenAI decided to revoke the certificates and re-sign all applications.
macOS users will need to update their applications by June 12, 2026. After that date, these products will no longer receive updates and might stop functioning properly.
“We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions. This helps prevent any risk, however unlikely, of someone attempting to distribute a fake app that appears to be from OpenAI,” the company says.
OpenAI says it is also coordinating with platform providers to stop new notarizations and prevent the malicious use of the stolen certificates.
“We have also reviewed all notarization of software using our previous certificates to confirm no unexpected software signing has occurred with these keys, and validated that our published software did not have unauthorized modifications. We have found no evidence of compromise or risk to existing software installations,” the company says.
The incident, OpenAI says, occurred during the transition to hardened configurations and credentials material, which was prompted by the Axios supply chain attack that occurred at the end of March, and which affected a certificate and notarization material used to sign OpenAI’s macOS applications.
Because the transition was implemented in phases, the two employee devices had not yet been updated with the new configurations, which would have prevented the malicious package downloads.
Related: DigiCert Revokes Certificates After Support Portal Hack
Related: Worries About AI’s Risks to Humanity Loom Over the Trial Pitting Musk Against OpenAI’s Leaders
Related: Checkmarx Confirms Data Stolen in Supply Chain Attack
Related: OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal
