OpenAI disclosed a supply‑chain breach that leveraged the popular TanStack npm library, part of the Mini Shai‑Hulud campaign. The intrusion touched two employee devices and a handful of internal repositories, exposing a limited set of credentials and signing certificates. No user data, production systems, or proprietary code were compromised, and the company engaged a forensic firm to contain the incident.

Response actions included isolating the compromised workstations, revoking active sessions, rotating all affected credentials, and temporarily halting code‑deployment pipelines. OpenAI also began rotating code‑signing certificates for iOS, macOS and Windows, forcing macOS users to update their apps before June 12, 2026. Platform partners were instructed to block further notarizations with the old keys, and a review found no malicious binaries signed with OpenAI certificates.

The breach underscores the growing risk of upstream dependency attacks, where a single compromised library can ripple through dozens of organizations. OpenAI’s post‑incident hardening adds minimum‑release‑age checks in its package manager and tighter CI/CD credential controls, measures rolled out after the earlier Axios incident. Users can continue to trust current OpenAI desktop builds, provided they install updates from official channels.