Best crypto insights delivered straight to your inbox.
OpenAI denies user data exposure from TanStack npm, Mini Shai-Hulud supply chain attack
- OpenAI confirmed that two employee devices were compromised, but found no evidence that user data, production systems, or intellectual property were accessed or stolen.
- The “Mini Shai-Hulud” campaign exploited weaknesses in GitHub Actions to publish 84 malicious packages across 42 TanStack libraries.
- While Windows and iOS apps are safe, OpenAI is rotating code-signing certificates.
OpenAI has admitted that two employee devices were compromised through malicious versions of TanStack npm packages.
The company is insisting that no evidence that user data, production systems, or intellectual property were tampered with was found.
Was OpenAI hacked?
OpenAI has confirmed that malicious actors breached two of its employee devices as part of a massive software supply chain campaign called “Mini Shai-Hulud.”
OpenAI previously deployed controls to limit supply chain attack exposure after an incident with Axios, but the two affected employee devices had not yet received the updated configurations that would have blocked the malicious package download.
The attack targeted TanStack, an open-source library used by millions of developers. The attackers published 84 malicious versions across 42 npm packages, including the popular @tanstack/react-router, which is downloaded over 12 million times weekly.
An external researcher working for StepSecurity detected the malicious packages within roughly 20 minutes of publication and notified npm security directly.
This attack exploited the trust users have in automated build systems. The malicious code was published using TanStack’s own legitimate publishing keys, making it look like an official update.
Mini Shai-Hulud is a self reproducing malware that steals credentials like GitHub tokens, cloud keys, and SSH keys once a developer or CI/CD system installs it. The malware then attempts to republish to other packages the victim maintains.
Security researchers report that the campaign has compromised packages across the npm and PyPI ecosystems. Beyond OpenAI and TanStack, the attack has affected code belonging to Mistral AI, UiPath (NYSE: PATH), OpenSearch and Guardrails AI.
Researchers note that the payload installs a persistent daemon that acts as a “dead-man’s switch.” If a victim revokes a stolen GitHub token, the malware can trigger a command to wipe the user’s home directory.
Was OpenAI’s user data compromised?
Following the attack, OpenAI enlisted a third-party forensics firm to assist with the investigation. The company said it found no evidence that its user data was accessed or that its production systems, intellectual property or software were compromised.
However, the attackers still managed to extract some credential material from internal code repositories that those devices had access to. This included code-signing certificates for macOS apps.
Now, Mac users must update their ChatGPT Desktop, Codex, and Atlas apps latest by June 12, 2026, or the software will be blocked by macOS security protections.
OpenAI said it has found no evidence of malicious software signed with its certificates and no unauthorized modifications to published applications.
The company noted that new notarization with the old certificates has already been blocked, meaning any fraudulent app attempting to use them would lack Apple’s notarization and be stopped by macOS security protections by default.
The smartest crypto minds already read our newsletter. Want in? Join them.
FAQs
Was OpenAI user data or customer information exposed in the TanStack attack?
No. OpenAI stated it found no evidence that user data was accessed, that production systems were compromised, or that any published software was altered.
Do OpenAI users need to change their passwords or API keys?
OpenAI said customer passwords and API keys were not affected. However, macOS users must update their OpenAI desktop applications (ChatGPT Desktop, Codex App, Codex CLI, and Atlas) by June 12, 2026, when old signing certificates will be revoked.
How did the TanStack npm supply chain attack work?
An attacker exploited vulnerabilities in GitHub Actions workflows to poison the CI/CD cache of the TanStack Router repository, then used that access to publish 84 malicious package versions across 42 TanStack libraries that harvested developer credentials during installation, according to TanStack's postmortem.
Hannah Collymore
Hannah is a writer and editor with nearly a decade of blog writing and event reporting experience. She graduated from Arcadia university where she studied business administration. She now works with Cryptopolitan, where she contributes to reporting on the latest developments in the cryptocurrency, gaming, and AI industries.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)