OpenAI finds no customer data accessed after TanStack supply-chain attack

A supply-chain compromise in the TanStack npm ecosystem pushed OpenAI into a wider security response this week, showing how a breach in a widely used open-source package can ripple into major companies even when no customer data is ultimately exposed. OpenAI said the incident began on May 11, 2026 UTC, and affected two employee devices in its corporate environment.

OpenAI said it found no evidence that customer data, production systems, intellectual property, or software changes were compromised. The company said it saw activity consistent with credential-focused exfiltration from a limited subset of internal source-code repositories, and that only limited credential material was taken. To contain the incident, OpenAI isolated affected systems, revoked sessions, rotated credentials, and temporarily restricted code-deployment workflows while the investigation continued. It also engaged a third-party forensics firm to help assess the breach.

The company is now rotating code-signing certificates as a precaution, a move tied to the authenticity of its macOS applications. OpenAI said macOS users will need to update OpenAI apps to the latest versions by June 12, 2026. The certificate rotation is designed to reduce the risk of anyone distributing a fake OpenAI app and to help ensure future attempts to impersonate OpenAI software can be blocked.

The incident lands in the middle of a broader campaign that security researchers have linked to Mini Shai-Hulud, which spread beyond TanStack into other ecosystems and packages including Mistral AI, UiPath, OpenSearch, and Guardrails AI. Security reporting said 42 @tanstack packages were affected and 84 malicious versions were published in a six-minute window on May 11, 2026. TanStack’s reach helped amplify the alarm: @tanstack/react-router alone was reported to have more than 12 million weekly downloads.

GitHub’s advisory database identified the TanStack incident as CVE-2026-45321 and recommended temporarily setting npm ignore-scripts true as a defense-in-depth measure. The wider episode has become a live example of the limits of trust in modern software distribution, where a single compromised dependency can trigger internal reviews, credential resets, and certificate rotations at companies far removed from the original package.