OpenAI confirms security breach in TanStack supply chain attack, but says no user data was affected

• OpenAI confirmed two employee devices were impacted in the TanStack “Mini Shai‑Hulud” supply chain attack
• Malware exfiltrated limited credential material from internal code repositories; no customer data or IP affected
• OpenAI revoked sessions, rotated credentials and signing certificates; macOS users must update apps, Windows/iOS unaffected

OpenAI has confirmed two employee devices were affected by the recent TanStack supply chain attack, but stressed the incident left almost no mark on its operations.

A threat actor known as TeamPCP recently launched the “Mini Shai-Hulud” supply chain attack, in which 84 versions of the TanStack npm package were compromised and used to distribute malware.

The malware TeamPCP smuggled through was designed to harvest developer credentials, cloud secrets, and SSH keys. It is likely called “Mini Shai-Hulud” because it self-propagates across the ecosystem, similar to how the previous Shai-Hulud worm did. The name comes from the gigantic worms in ...