Full Report
Attackers stole a limited amount of internal credential material after malware hidden in poisoned packages reached two staff machines
Analysis Summary
# Incident Report: OpenAI TanStack Package Compromise
## Executive Summary
OpenAI was targeted as part of the wider "Mini Shai-Hulud" supply chain campaign after two employee machines installed poisoned npm packages from the TanStack ecosystem. The attackers successfully exfiltrated a limited amount of internal credential material from accessible code repositories. While production systems and customer data remained unaffected, the incident forced a mandatory rotation of signing certificates for several macOS desktop applications.
## Incident Details
- **Discovery Date:** May 2026 (Reported May 15, 2026)
- **Incident Date:** Late April - Early May 2026
- **Affected Organization:** OpenAI
- **Sector:** Artificial Intelligence / Technology
- **Geography:** Global (Headquartered in USA)
## Timeline of Events
### Initial Access
- **Date/Time:** April/May 2026
- **Vector:** Software Supply Chain Attack (npm package poisoning)
- **Details:** Attackers compromised the `@tanstack` npm organization and published 84 malicious versions across 42 packages. Two OpenAI employees downloaded these poisoned dependencies before supply chain security controls had been fully rolled out to their machines.
### Lateral Movement
- **Details:** The malware executed on developer workstations, gaining access to internal code repositories reachable via the employees' local environments and active sessions.
### Data Exfiltration/Impact
- **Details:** Attackers performed "credential-focused exfiltration," stealing limited internal credential material and secrets stored within accessible code repositories.
### Detection & Response
- **How it was discovered:** Likely via internal monitoring or downstream notification following the disclosure of the wider TanStack/Mini Shai-Hulud campaign.
- **Response actions taken:** Isolated affected devices, conducted forensic analysis of accessed repositories, and initiated a company-wide rotation of signing certificates for desktop products.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (Poisoned npm packages: `@tanstack/*`).
- **Persistence:** Not explicitly detailed, but targeted at developer CI/CD and local environments.
- **Privilege Escalation:** Use of stolen developer credentials to access internal repositories.
- **Defense Evasion:** Use of legitimate (but compromised) package distribution channels (npm).
- **Credential Access:** Exfiltration of GitHub tokens, cloud secrets, and internal repository credentials.
- **Discovery:** Automated scanning of developer environment variables and local files for secrets.
- **Lateral Movement:** Accessing internal code repositories using active employee sessions/tokens.
- **Collection:** Targeting internal source code repositories for embedded secrets.
- **Exfiltration:** Credential material sent to attacker-controlled infrastructure.
- **Impact:** Forced rotation of cryptographic signing certificates for distributed software.
## Impact Assessment
- **Financial:** Costs associated with incident response, forensic auditing, and certificate re-issuance.
- **Data Breach:** Limited internal credential material; no customer data compromised.
- **Operational:** Required mandatory updates for ChatGPT Desktop (macOS), Codex, and Atlas users by June 12.
- **Reputational:** Moderate; highlights ongoing risks in the AI software supply chain despite recent security upgrades.
## Indicators of Compromise
- **Network indicators:** Connections to malicious domains associated with the "Mini Shai-Hulud" campaign (e.g., `hxxps[://]api[.]teampcp[.]com` - *simulated defanged example*).
- **File indicators:** Malicious versions (84 total) of `@tanstack` npm packages.
- **Behavioral indicators:** Unauthorized access to internal repositories from developer machines; unusual automated exfiltration patterns.
## Response Actions
- **Containment:** Isolated the two compromised employee devices.
- **Eradication:** Removed malicious npm packages and purged related build artifacts.
- **Recovery:** Rotating signing certificates for ChatGPT Desktop (macOS), Codex App, Codex CLI, and Atlas.
- **User Notification:** Required all users of affected desktop applications to update by June 12.
## Lessons Learned
- **Phased Rollouts:** The incident occurred specifically on machines that had not yet received new security controls, highlighting the window of vulnerability during slow security deployments.
- **Dependency Risk:** Even highly trusted ecosystems like TanStack are susceptible to compromise through stolen maintainer credentials or CI/CD flaws.
- **Secret Management:** The presence of exfiltratable credential material in code repositories remains a high-value target for attackers.
## Recommendations
- **Zero Trust for Dependencies:** Implement automated "lockfile" auditing and allow-listing for npm packages.
- **Secret Scanning:** Enhance real-time scanning of all internal repositories to ensure no credentials or tokens are stored in plaintext.
- **Accelerated Deployment:** Shorten the window for deploying critical security controls across developer workstations.
- **Hardware Security Keys:** Enforce the use of hardware-based MFA for all internal repository access to mitigate the impact of stolen session tokens.