OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution.

TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm packages.

Hundreds of software packages are affected, once again threatening enterprise credentials on coders’ machines.

May 14 : OpenAI said on Wednesday it found no evidence that its user data was accessed after a security issue involving a supply-chain attack on TanStack npm, an open-source…

OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate…

Attackers stole a limited amount of internal credential material after malware hidden in poisoned packages reached two staff machines

Mini Shai-Hulud hit 2 OpenAI devices via TanStack, exposing limited credentials and forcing macOS certificate updates by June 12, 2026.