If you use the ChatGPT desktop app on Mac, you’ll be forced to update it sometime between now and June 12. That’s due to a security breach involving two OpenAI employee devices …
The reason is a bit involved, but stems from a security issue involving open-source code used by the company. OpenAI stresses that it has found no evidence any user data was accessed nor were its own systems compromised.
On May 11, 2026 UTC, TanStack, a widely used open-source library, was compromised as part of a broader software supply chain attack known as Mini Shai-Hulud.
Two employee devices in our corporate environment were impacted by this attack. Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to protect our systems. As part of our investigation and response, we engaged a third-party digital forensics and incident response firm.
We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access. We confirmed that only limited credential material was successfully exfiltrated from these code repositories and that no other information or code was impacted.
