TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Triggers macOS Code‑Signing Revocation
#Security

TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Triggers macOS Code‑Signing Revocation

Security Reporter
5 min read

OpenAI confirmed that two employee machines were compromised through the Mini Shai‑Hulud supply‑chain breach of TanStack. The incident forced a revocation of macOS signing certificates for several OpenAI apps and highlighted the growing risk of upstream library compromises.

![Featured image](Featured image)

OpenAI disclosed on May 15, 2026 that two of its corporate devices were infected via the Mini Shai‑Hulud supply‑chain attack targeting TanStack. The breach was limited to a handful of internal source‑code repositories that the affected employees could access. No production systems, user data, or proprietary models were altered, and only a small set of credentials was exfiltrated.

What happened?

TanStack, a popular collection of UI utilities and state‑management tools, was compromised by a sophisticated CI/CD hijack. The attacker injected a malicious version of the axios library—dubbed Mini Shai‑Hulud—into the package publishing pipeline. When OpenAI’s CI jobs pulled the tainted dependency, the malware executed on the build agents and then reached two developer workstations.

The malicious code performed three core actions:

  1. Credential harvesting – It scanned the local Git configuration, .env files, and SSH keys, then uploaded the data to a hard‑coded C2 server (83.142.209[.]194).
  2. Repository exfiltration – A subset of source files from the repositories the users had access to was copied to the attacker’s server.
  3. Persistence preparation – The payload wrote a small launch agent to the user’s ~/Library/LaunchAgents folder, ensuring it would survive a reboot until the breach was detected.

The attack mirrors earlier TanStack incidents reported by TeamPCP, which have now affected dozens of downstream projects, including UiPath, Mistral AI, OpenSearch, and Guardrails AI.

OpenAI’s response

"Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to protect our systems," the company said in its advisory.

OpenAI’s incident‑response team took the following steps:

  • Isolation – The two compromised workstations were removed from the corporate network.
  • Credential rotation – All secrets, API tokens, and SSH keys linked to the affected repositories were revoked and regenerated.
  • Session revocation – Active user sessions across OpenAI’s internal tools were terminated.
  • Code‑signing certificate revocation – Because the compromised repos stored signing certificates for macOS, iOS, and Windows binaries, OpenAI revoked the old certificates and issued new ones.
  • Workflow throttling – Automated deployment pipelines were temporarily paused while the integrity of the build environment was verified.

The revocation affects the macOS versions of ChatGPT Desktop, Codex App, Codex CLI, and Atlas. Users will see a prompt to download the updated binaries after June 12, 2026, when macOS Gatekeeper will block any launch of apps signed with the old certificate. No action is required for Windows or iOS versions.

Why macOS updates matter

macOS enforces code‑signing at launch time. When a certificate is revoked, Gatekeeper refuses to run the binary and displays a warning. By rotating the certificates, OpenAI eliminates the risk of a threat actor crafting a counterfeit installer that appears legitimate. This defensive move is especially important for desktop clients that run with elevated privileges to access local files and network resources.

Expert perspective

"Supply‑chain attacks have moved from rare, high‑profile incidents to a daily operational risk for any organization that relies on open‑source components," says Dr. Maya Patel, senior security architect at CrowdStrike. "The TanStack breach underscores two things: first, CI pipelines are now a primary attack surface, and second, organizations must treat third‑party dependencies as critical assets that need continuous verification."

Patel recommends a layered approach:

  1. SBOM enforcement – Generate a Software Bill of Materials for every build and compare it against an allow‑list of known‑good versions.
  2. Immutable build environments – Use container‑based CI agents with read‑only filesystems, so a compromised package cannot write persistent changes.
  3. Runtime integrity monitoring – Deploy agents that verify the hash of executed binaries against the SBOM at launch time.
  4. Credential hygiene – Store signing keys in hardware security modules (HSMs) and enforce short‑lived signing tokens.

Practical steps for developers and admins

  • Update macOS clients now – Open the App Store or download the latest installers from the official OpenAI portal before the June 12 cut‑off.
  • Audit CI pipelines – Review any step that pulls external packages. Pin exact versions and enable reproducible builds with tools like Reproducible Builds.
  • Rotate signing keys – If your organization signs its own macOS or iOS apps, treat this incident as a reminder to rotate keys regularly and store them in an HSM.
  • Enable two‑factor authentication on CI/CD accounts – Prevent token theft by requiring MFA for any token generation.
  • Monitor for C2 traffic – Block outbound connections to known malicious IPs (e.g., 83.142.209.194) at the firewall level.

The broader supply‑chain threat landscape

TeamPCP’s recent contest, offering a $1,000 Monero bounty for successful compromises of open‑source packages, illustrates how threat actors are now monetizing the supply‑chain attack process itself. By releasing the Shai‑Hulud worm publicly, they lower the barrier for less‑skilled actors to weaponize the same technique.

Mistral AI’s disclosure adds another layer of complexity: the malware includes a fallback mechanism called FIRESCALE that searches public GitHub commit messages for a signed alternative C2 URL, verified against a 4096‑bit RSA key. This “commit‑message beacon” technique makes takedown harder because the attacker can dynamically change the server address without updating the binary.

Geographically targeted destructive payloads—audio playback followed by file deletion on machines located in Israel or Iran—show that the campaign is also politically motivated, not purely financially driven.

What you can do today

  1. Run an SBOM scan on all your internal packages using tools like CycloneDX or Syft.
  2. Enable repository‑level protection – Require code‑owner reviews for any changes to package.json or requirements.txt files.
  3. Adopt signed commits – Verify that every commit is signed with a GPG key tied to a known developer identity.
  4. Deploy endpoint detection that can flag unusual processes spawning from node or python interpreters that load unsigned modules.

Bottom line

The TanStack supply‑chain breach that reached OpenAI demonstrates how a single compromised CI token can cascade into credential theft, code exfiltration, and the need for emergency certificate revocation. Organizations should treat their build pipelines as critical infrastructure, enforce strict dependency controls, and keep signing keys under hardware‑based protection. For macOS users of OpenAI’s desktop tools, updating now is the simplest way to stay protected.

Stay ahead of supply‑chain threats by regularly reviewing your SBOM, hardening CI/CD, and rotating signing credentials.

#Supply Chain#OpenAI#macOS#CI/CD#SBOM

Comments

Loading comments...
Back to Home