Two corporate laptops, some credential material, and a forced macOS app update. The interesting part is how the malicious packages got published in the first place: not by a stolen npm password, but by TanStack’s own legitimate release pipeline, after the attacker code took over the runner mid-build.
OpenAI said on Wednesday that it found no evidence of user data being accessed, products being compromised, or its software being altered after a supply-chain compromise of the TanStack npm packages earlier this week.
Two employee devices in OpenAI’s corporate environment were affected, the company said in a notice published on its website. Limited credential material was exfiltrated from internal code repositories. Passwords and API keys were not.
The interesting part is how the malicious packages got there. On 11 May, between 19:20 and 19:26 UTC, 84 malicious artefacts were published across 42 packages in the @tanstack namespace, including @tanstack/react-router, which alone pulls more than 12.7 million weekly downloads.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
They were not uploaded by an attacker who had phished an npm credential. They were uploaded by TanStack’s own legitimate release pipeline, using its trusted OIDC identity, after an attacker-controlled fork hijacked the GitHub Actions runner mid-workflow and exfiltrated the OIDC token directly from the runner’s process memory.
TanStack’s maintainer Tanner Linsley described it, accurately, as the first documented npm worm in history that ships with a valid signed certificate of authenticity.
The campaign has a name. Mini Shai-Hulud, a self-replicating descendant of the worm that first hit the npm registry in September 2025, has now compromised more than 170 packages across npm and PyPI, including releases from Mistral AI, UiPath, OpenSearch, and Guardrails AI.
The cumulative download count of the affected packages, per OX Security, is over 518 million. Microsoft Security Research is tracking it as the same campaign that ran in November and December 2025 under the Shai-Hulud 2.0 banner.
OpenAI’s exposure runs through this fan-out. The company has not said which TanStack package its developers were pulling from when the compromise happened, only that the affected machines have been isolated and that the credential rotation is underway.
Code-deployment workflows have been temporarily restricted. Code-signing certificates are being rotated, which is why macOS users of the ChatGPT desktop app are seeing forced application updates this week.
OpenAI’s framing of the incident is narrow on purpose. The company is drawing a careful line between its corporate engineering environment, where the breach happened, and its product surface, where it says nothing was touched.
That line is the difference between a workplace IT incident and a customer-facing security event, and OpenAI clearly does not want this read as the second.
The wider picture is harder to read calmly. Mini Shai-Hulud chained three GitHub Actions vulnerabilities (a pull_request_target trigger, cache poisoning, and OIDC token extraction from runner memory) to bypass every layer of npm publishing security at once.
Trusted publishing, the system designed to replace stealable npm tokens with short-lived OIDC ones, is what the attacker abused. The defence assumed the runner was trustworthy. The attacker made it not.
For OpenAI specifically, the takeaway is short. Two laptops, some credential material, a forced app update, no customer data, no product compromise. For everyone else publishing or consuming npm packages, the takeaway is longer.
The TeamPCPa-ttributed campaign behind Mini Shai-Hulud has also been linked to the compromise of Aqua Security’s Trivy scanner in March and the Bitwarden CLI npm package in April. There is no indication it has run out of targets.
Stephan is the sports journalist for the Maple Grove Report.
