Openai Confirms Limited Credential Theft In Tanstack Supply Chain Attack

OpenAI (@OpenAI) confirmed Wednesday that two employee devices were compromised during this week's TanStack supply chain attack, resulting in unauthorized access and the theft of credentials from a limited subset of internal source code repositories.

The company said it found no evidence that user data was accessed, production systems were affected, intellectual property was exposed, or software was altered. According to OpenAI's official response, only limited credential material was taken. Signing keys for Windows, macOS, iOS, and Android were impacted, and all applications are being re-signed and released with new certificates. macOS users will need to update their apps before June 12, 2026, for them to continue functioning.

What Happened in the TanStack Attack

On May 11, 2026, between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack npm packages by chaining a GitHub Actions "Pwn Request" pattern, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. The malicious versions were detected publicly within 20 minutes by an external researcher working for StepSecurity.

The two impacted OpenAI employee devices did not have updated configurations that would have prevented the download of the newly observed package containing malware. After an earlier Axios incident, OpenAI had accelerated deployment of specific security controls, including further hardening of sensitive credential materials used in its CI/CD pipeline and deployment of package manager configurations with controls like minimumReleaseAge. The attack occurred during the phased rollout of those controls.

By installing any affected package version, the malicious payload executed during npm lifecycle hooks and stole GitHub tokens, npm tokens, AWS credentials, GCP and Azure credentials, Kubernetes service account tokens, HashiCorp Vault tokens, and environment variables. The payload then identified npm packages the victim had publish access to, modified those archives to inject the same malicious dependency, and published new compromised releases. This worm behavior meant each compromised developer or CI runner became a new infection vector.

Attribution and Broader Scope

TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of the Mini Shai-Hulud campaign. TeamPCP is also responsible for compromising Aqua Security's Trivy scanner in March 2026 and the Bitwarden CLI npm package in April 2026.

In total, the coordinated supply chain attack on May 11, 2026 compromised over 170 npm packages and 2 PyPI packages, totaling 404 malicious versions. The affected packages have more than 518 million downloads cumulatively. In an escalation noted by security researchers, the compromised packages carried valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm to produce validly-attested malicious packages.

Sources:
OpenAI: Our Response to the TanStack npm Supply Chain Attack
TanStack: Postmortem on the npm Supply Chain Compromise
The Hacker News: Mini Shai-Hulud Worm Compromises TanStack and More Packages