OpenAI explained the TanStack npm attack and asked users to update macOS apps by June 12

OpenAI has explained how it responded to the Mini Shai-Hulud attack through the TanStack npm ecosystem. The company claims it found no signs of compromise to user data, production systems, or its products' code, but is still launching a mandatory update of macOS applications by June 12, 2026.

What happened

On May 11, 2026 UTC, threat actors compromised one of the popular open-source packages in the TanStack ecosystem. OpenAI states that the attack was part of a broader Mini Shai-Hulud campaign that targeted not a single company, but common links in the software supply chain: dependencies, package managers, and development tools. Within OpenAI, two employee devices in the corporate environment were affected.

After detecting malicious activity, the company launched an investigation and engaged an external team of digital forensics and incident response specialists. According to OpenAI, the malicious package's behavior matched a previously described scenario: unauthorized access and attempts to exfiltrate credentials from a limited set of internal repositories to which these two employees had access. The company claims that only individual secrets and credentials were actually exfiltrated, while other code and information were not compromised.

The investigation found no traces of impact on user data, production systems, or OpenAI's intellectual property.

How OpenAI responded

The first task was to localize the incident and block possible avenues for further access. OpenAI isolated the affected devices and associated accounts, revoked user sessions, rotated all credentials in the affected repositories, and temporarily restricted code deployment workflows. In parallel, the company separately reviewed the behavior of the accounts and secrets themselves to understand whether anyone had already used the stolen materials. As of publication, OpenAI states it has not seen signs of subsequent unauthorized access or misuse of this data.

"We found no evidence that

OpenAI user data was compromised."

An important detail: the affected repositories also contained code-signing certificates for OpenAI products. So the response was not limited to cleaning infected machines. The company started rotating code-signing certificates and separately coordinated with platform partners to block new notarization procedures using the old signing materials.

Additionally, OpenAI re-examined already released software and found no signs that anyone had signed a malicious application on its behalf or replaced published builds. OpenAI separately explained that after the Axios incident, it accelerated implementation of additional measures against supply chain attacks, but this case came during the rollout phase. The two affected devices had not yet received updated package manager configurations and new package origin checks.

Among the measures the company now emphasizes are minimumReleaseAge for dependencies, enhanced protection of sensitive credentials in CI/CD, and additional provenance validation for new packages.

What Mac users should do

For ordinary users, the main takeaway is practical: if you use OpenAI applications on macOS, they need to be updated by June 12, 2026. After the old certificate is fully revoked, macOS will begin blocking new downloads and first launches of applications signed with the old keys. OpenAI deliberately leaves this window until that date because an immediate revoke could break legitimate updates and first launches of normal applications for some users.

• ChatGPT Desktop needs to be updated
• Codex App needs to be updated
• Codex CLI needs to be updated
• Atlas needs to be updated

For Windows and iOS, no separate user action is required, though the company is re-releasing applications with new certificates across all affected platforms. User passwords and API keys, according to OpenAI, were not affected, so there is no need to change them. The safest approach is to install updates only through the application's built-in mechanism or official download pages. OpenAI specifically warns against installing "OpenAI," "ChatGPT," or "Codex" from emails, advertisements, messengers, and third-party catalogs.

What this means

This incident demonstrates well how attacks on dependencies quickly extend beyond the development environment and reach ordinary users through certificates, desktop clients, and update mechanics. For companies, the lesson is straightforward: it's not enough to check your own code, you also need to strictly control the origin of packages, protect CI/CD, and be able to quickly re-release signatures without stopping the product.