Full Report
The actions are being taken in light of an expanding supply chain campaign impacting the popular open-source library TanStack and additional npm and PyPI packages tied to several AI companies.
Analysis Summary
# Incident Report: Supply Chain Attack via TanStack and AI-Sector Compromise
## Executive Summary
A large-scale supply chain attack targeted the popular open-source library TanStack and various npm/PyPI packages, impacting several AI companies including OpenAI and Mistral AI. The attack involved compromising signing keys and injecting credential-stealing malware into 84 npm artifacts. OpenAI confirmed two employee devices were compromised, leading to the exfiltration of limited internal source code and credential material, though customer data remained secure.
## Incident Details
- **Discovery Date:** May 2026 (openly documented May 11–13)
- **Incident Date:** April 29, 2026 – May 11, 2026
- **Affected Organization:** OpenAI, Mistral AI, TanStack (and broader npm/PyPI users)
- **Sector:** Technology / Artificial Intelligence / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 29, 2026 (Phase 1)
- **Vector:** Compromised supply chain (npm package artifacts).
- **Details:** Malicious code was injected into 84 npm artifacts associated with TanStack and other libraries. Attackers used these packages to gain access to developer environments.
### Lateral Movement
- **Details:** The malware practiced "self-propagation" by targeting other packages maintained by the victim. In OpenAI's case, the malware transitioned from compromised employee devices to internal source code repositories (iOS, macOS, and Windows products).
### Data Exfiltration/Impact
- **Details:** TeamPCP (threat actor) successfully exfiltrated credential material and limited source code from OpenAI and Mistral AI. Mistral AI's codebase was "temporarily" compromised and offered for sale online.
### Detection & Response
- **Detection:** Activity consistent with "mini-shai-hulud" malware behavior was identified; UK government officials and security firms (Socket.dev) flagged the campaign on May 11.
- **Response:** OpenAI hired an IR firm, isolated impacted systems, rotated all credentials, and revoked compromised signing certificates.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (Malicious npm/PyPI packages).
- **Persistence:** Notarized software using legitimate (but compromised) OpenAI developer certificates.
- **Privilege Escalation:** Harvesting credentials from common developer locations and local stores.
- **Defense Evasion:** Use of legitimate developer signing keys to bypass macOS gatekeeper protections.
- **Credential Access:** Credential-focused exfiltration targeting tokens and login data.
- **Discovery:** Automated scanning for local repository access and maintained packages.
- **Lateral Movement:** Automated self-propagation through the victim's own software publishing accounts.
- **Collection:** Targeting internal source code repositories.
- **Exfiltration:** Data harvested and sent to actor-controlled infrastructure; subsequently offered for sale by "TeamPCP."
- **Impact:** Compromise of internal codebase integrity and potential for downstream "fake" application distribution.
## Impact Assessment
- **Financial:** Costs associated with hiring an incident response firm and rotating global credentials.
- **Data Breach:** Exfiltration of limited credential material and internal source code for iOS, macOS, and Windows applications.
- **Operational:** macOS users required to manually update software by June 12, 2026, to maintain service.
- **Reputational:** Public disclosure of internal repository theft; threat actors marketing stolen AI codebase.
## Indicators of Compromise
- **Network indicators:** Activity associated with TeamPCP infrastructure (defanged: hxxps[://]x[.]com/H4ckmanac).
- **File indicators:** 84 compromised npm package artifacts (e.g., TanStack libraries).
- **Behavioral indicators:** Unauthorized access to source code repositories; automated republishing of npm packages with malicious wrappers.
## Response Actions
- **Containment:** Isolated the two impacted employee devices and revoked all active user sessions.
- **Eradication:** Rotated compromised credentials and revoked the affected code-signing certificates.
- **Recovery:** Released updated macOS applications with new certificates; coordinated with platforms to stop new notarizations of compromised keys.
## Lessons Learned
- **Key Takeaways:** Dependency on high-download open-source libraries (12 million+ weekly) creates a massive single point of failure.
- **Developer Security:** Even internal source code repositories are vulnerable if developer workstations are compromised via standard package managers.
- **Certificate Management:** The ability to rapidly revoke and re-issue signing certificates is critical to preventing the distribution of "legitimately signed" malware.
## Recommendations
- **Zero Trust:** Implement strict device health checks and MFA for all repository access.
- **Dependency Pinning:** Use lockfiles and dependency scanning tools to detect unauthorized changes in npm/PyPI artifacts.
- **Audit Logs:** Monitor for unusual publishing activity or automated uploads to package registries from employee accounts.