← all news

OpenAI says a TanStack npm compromise touched two internal devices

AI · · · source (openai.com)

OpenAI published a post-incident note on the May 11 compromise of TanStack, the widely used npm library, as part of the broader Mini Shai-Hulud supply chain attack. Two employee devices inside OpenAI's corporate environment were affected. The company says it observed behavior consistent with the publicly described malware, including credential-focused exfiltration from a limited subset of internal source code repositories that those two engineers had access to. According to the writeup, only limited credential material left the environment, and there is no evidence that user data, production systems, intellectual property, or shipped software were touched.

The response followed a standard incident shape. OpenAI engaged a third-party digital forensics and incident response firm, contained the affected machines, and then went through the cleanup that this kind of compromise forces. The customer-visible part is the cert update. OpenAI is rotating its code-signing certificates, which means macOS users have to upgrade to the latest version of the desktop apps. Older versions stop receiving updates and support on June 12, 2026.

The disclosure is short on novel technical detail, but it is unusual in being explicit. Most companies hit by a TanStack-style npm attack do not say so publicly with named scope and timelines. That makes it useful as a reference point for other teams writing internal incident reports.

Why it matters

If your stack pulls TanStack or its transitive deps, treat this as a prompt to audit which developer machines could have been exposed during the window around May 11 and to rotate any tokens those devices had cached. The broader lesson is that a single compromised popular npm package now reaches AI labs and their source repos directly, so the npm trust chain is part of your AI security posture whether you frame it that way or not.

OpenAISecurity