OpenAI Confirms TanStack Worm Breach. Every macOS App Has to Be Re-Signed.

The TanStack worm reached OpenAI's developers — and every macOS signing certificate

On May 15, 2026, OpenAI published a confirmation: two of its employee devices were compromised in the Mini Shai-Hulud supply chain attack that hit TanStack npm packages four days earlier. Limited credential material was exfiltrated from a small subset of internal source code repositories. No customer data, no production systems, no intellectual property — but the company is now rotating its code-signing keys for Windows, macOS, iOS, and Android, and every macOS user of ChatGPT Desktop, Codex App, Codex CLI, and Atlas has until June 12, 2026 to update before the previous certificates are fully revoked.

This is the closest the AI supply chain has come to a marquee incident. A self-spreading worm, riding on a developer library, hit a developer machine at the largest AI lab in the world.

What happened

The malware is called Mini Shai-Hulud — a smaller, faster relative of the original Shai-Hulud npm worm seen in 2025. StepSecurity, Snyk, and Wiz attributed the May 11, 2026 wave to TeamPCP, a financially-motivated group also tied to the Trivy scanner compromise in March 2026 and the Bitwarden CLI breach in April 2026. The full technical writeup is available from StepSecurity's research team.

• The worm compromised 84 build artifacts across 42 @tanstack/* packages, plus @mistralai/*, @squawk/* and others — more than 170 packages in total, with 518 million cumulative downloads across npm and PyPI.
• The attacker chained three GitHub Actions weaknesses: a Pwn Request via a renamed fork (zblgg/configuration) to evade fork-listing, Actions cache poisoning, and OIDC token abuse to steal CI secrets.
• Several of the malicious packages shipped with valid SLSA Build Level 3 provenance attestations — the first documented npm worm to produce validly-attested malicious artifacts.
• OpenAI's incident response post confirms two macOS developer laptops were impacted, with activity consistent with the worm's known behavior: unauthorized access and credential-focused exfiltration from a limited set of repositories the two engineers had access to.

Why it matters

The credentials that leaked are not the headline. The signing certificates are. macOS users who download a freshly compromised version of ChatGPT Desktop or Codex CLI after June 12, 2026 — once the old certificate is fully revoked — will be blocked by macOS Gatekeeper. That is the correct outcome. But the same architecture means an attacker who had obtained those keys earlier could have signed and notarized malware that every Mac in the world would trust by default. Two developer laptops sat inside the blast radius of that scenario.

For everyone else, the lesson is more practical. Every AI lab and AI-adjacent company depends on the same npm registry, the same GitHub Actions surface, and the same trust-everything-signed apparatus. The worm propagates by exfiltrating CI/CD secrets — so the strongest defenses are the ones that limit what those secrets can do once stolen.

What to do about it

1. Update every OpenAI macOS app today. ChatGPT Desktop, Codex App, Codex CLI, and Atlas on macOS need the re-signed builds before June 12, 2026. Windows, iOS, and Android users are not affected.
2. Rotate npm and CI/CD secrets if you installed any compromised @tanstack/*, @mistralai/* or related package on or after May 11, 2026. Pin clean versions, audit for unauthorized commits made by your CI service account, and review build logs for unfamiliar outbound traffic during that window.
3. Move repository secrets to short-lived OIDC tokens. Mini Shai-Hulud spreads by exfiltrating long-lived secrets from compromised workflow runs. Replace them with environment-scoped OIDC tokens that expire in minutes, and require manual approval on workflows triggered by external pull requests.

Bottom line

OpenAI handled this well — fast disclosure, narrow blast radius, full certificate rotation. The bigger signal is that the supply chain feeding into AI vendors is now an active battleground, and the same attack pattern will hit smaller labs without the same incident-response bench. Treat every developer laptop as a privileged-access workstation, and assume the next worm is already running.