TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates Ravie Lakshmanan May 15, 2026 Supply Chain Attack / Malware OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner. "Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to protect our systems," OpenAI said . "We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access." The artificial intelligence (AI) upstart said only limited credential material was successfully transferred from these code repositories, adding no other information or code was impacted.
Upon being alerted of the activity, OpenAI said it isolated impacted systems and identities, revoked user sessions, rotated all credentials across impacted repositories, temporarily restricted code-deployment workflows, and audited user and credential behavior. Since the impacted repositories included signing certificates for iOS, macOS, and Windows products, the company has taken the step of revoking the certificates and issuing new ones.
As a result, macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas are required to update their apps to the latest versions. "This helps prevent any risk, however unlikely, of someone attempting to distribute a fake app that appears to be from OpenAI," OpenAI said. "Users do not need to take any action for Windows and iOS apps." The certificates are scheduled to be revoked on June 12, 2026, after which new downloads and launches of apps signed with the previous certificate will be blocked by built-in macOS protections.
Users are therefore advised to apply the updates before the cut-off date for optimal protection. This is the second time OpenAI has rotated its code-signing certificates for its macOS in as many months. Around mid-April 2026, it rotated the certificates after a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, which was compromised by a North Korean hacking group called UNC1069. "This incident reflects a broader shift in the threat landscape: attackers are increasingly targeting shared software dependencies and development tooling rather than any single company," OpenAI said. "Modern software is built on a deeply interconnected ecosystem of open-source libraries, package managers, and continuous integration and continuous deployment infrastructure, which means that a vulnerability introduced upstream can propagate widely and quickly across organizations." The development comes close on the heels of TeamPCP claiming a number of fresh victims, compromising hundreds of packages associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of an ongoing supply chain attack campaign designed to push malware to downstream developers and steal credentials from their systems to further extend the scale of the breaches. "Just to be clear, no maintainer was phished, had a password leak, or a token stolen from their account," TanStack said . "The attacker managed to engineer a path where our own CI pipeline stole its own publish token for them, at the exact moment it was created, by way of a cache that everyone in the chain implicitly trusted.
It is a sophisticated approach that we hadn't anticipated and that we're taking very seriously." TeamPCP has since announced a supply chain attack contest in partnership with Breached cybercrime, offering participants with a $1,000 in Monero to compromise open-source packages using the Shai-Hulud worm that it has made freely available to others. The hacking group has also threatened to leak about 5GB of internal source code from Mistral AI, asking for $25,000 BIN from prospective buyers. "We are looking for $25k BIN or they can pay this and we will shred these permanently, only selling to the best offer and limited to one person, if we cannot find a buyer within a week we will leak all of these for free to the forums," TeamPCP said in the post.
In an updated advisory, Mistral AI confirmed it was impacted by a supply chain attack caused by the compromise of TanStack, leading to the release of trojanized versions of its npm and PyPI SDKs. It also said a lone developer device was impacted in the hack. There is no evidence to suggest its infrastructure was breached. A deeper analysis of the modular Python toolkit delivered to Linux systems via the guardrails-ai and mistralai packages has uncovered that the primary command-and-control (C2) server address ("83.142.209[.]194") is hard-coded.
In case the primary C2 becomes unreachable, a fallback mechanism called FIRESCALE is activated. "When the primary C2 is unavailable, the malware searches all public GitHub commit messages worldwide for a signed alternative server URL, verified against an embedded 4096-bit RSA key," Hunt.io said . "Exfiltration follows three paths in sequence: primary C2 server, FIRESCALE dead-drop redirect, and the victim's own GitHub repository.
Blocking any single tier leaves the other two intact." The cybersecurity company also revealed that the collection module responsible for harvesting Amazon Web Services (AWS) credentials covers all 19 availability zones in its target list, including us-gov-east-1 (AWS GovCloud - US-East) and us-gov-west-1 (AWS GovCloud - US-West), which are restricted to U.S. government agencies and defense contractors.
Another unusual aspect of the campaign is the destructive behavior attached to it. On machines geolocated to Israel or Iran, a 1-in-6 probability gate activates audio playback at maximum volume, followed by the deletion of all accessible files. The malware exists on systems with a Russian locale. The destructive actions targeting specific geographic regions mirror the "kamikaze" wiper that was unleashed by TeamPCP on Iran-based Kubernetes clusters in connection with a prior supply chain attack distributing a self-propagating worm known as CanisterWorm .
These recurring behaviours point to a more intentional operation rather than something opportunistic. That's not all. A closer examination of the attacker-controlled infrastructure has revealed that three different IP addresses in the 83.142.209[.]0/24 subnet has served as C2 servers: 83.142.209[.]194 , 83.142.209[.]11, and 83.142.209[.]203, with the latter two used in the March 2026 supply chain attacks targeting Checkmarx Telnyx , respectively. "Both C2 addresses (83.142.209[.]194 and 83.142.209[.]203) were first seen with SSH active on November 15 and 21, 2025, roughly four months before the TanStack attack went public," Esteban Borges, head of research at Hunt.io, told The Hacker News via email. "The 83.142.209[.]0/24 block was provisioned during TeamPCP's pre-campaign build-up phase and left dormant to accumulate a clean history before being activated.
Infrastructure aging is fairly common with organized groups." "That same subnet showed up across every major TeamPCP wave we tracked through May 2026, not just TanStack and FIRESCALE. LiteLLM PyPI compromise, Trivy scanner hijack via GitHub Actions, the Checkmarx KICS attack, and the Jenkins AST Plugin backdoor in May." Hunt.io also noted that the FIRESCALE tool and the modular Python malware are one of at least four distinct payloads attributed to this infrastructure, including the previous iteration of the TeamPCP Cloud Stealer targeting CI/CD runner secrets, a cryptocurrency miner from the December 2025 exploitation phase, and VECT ransomware deployed from late March 2026 using credentials stolen by the prior tools. "The toolkit is more capable, more resilient, and more sophisticated," Hunt.io said. "Beyond credential files, the malware captures every environment variable on the machine, reads all SSH keys and config, walks the entire home directory for dotenv files, and pulls credentials from running Docker containers." (The story was updated after publication on May 16, 2026, with additional insights from Hunt.io) Found this article interesting?
Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share AWS , code signing , Credential Theft , cybersecurity , MacOS , Malware , Mistral AI , OpenAI , Supply Chain Attack , TanStack ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.