OpenAI disclosed a supply chain security incident involving TanStack npm packages, confirming that no user data or products were compromised despite attacker control over parts of its corporate environment.
- Attacker infiltrated TanStack’s release pipeline via GitHub Actions runner takeover.
- No OpenAI user data or products impacted; limited corporate credential exposure.
- Attack named Mini Shai-Hulud affects over 170 npm and PyPI packages with 518M+ downloads.
What happened
In early May 2026, a sophisticated supply chain attack compromised the TanStack npm package release pipeline. An attacker-controlled fork exploited multiple GitHub Actions vulnerabilities, including token extraction from the runner's memory, allowing them to publish 84 malicious artifacts across 42 packages under the @tanstack namespace. These packages, which include extremely popular ones such as @tanstack/react-router with over 12.7 million weekly downloads, were signed using legitimate certificates, marking the first known npm worm with this level of authenticity.
OpenAI disclosed that this breach impacted two corporate laptops and some credential material from internal repositories but did not result in any user data access, product compromise, or software tampering. The malicious code was distributed through these npm packages not via stolen passwords but by hijacking the trusted release pipeline, exploiting vulnerabilities in automation workflows rather than human credentials.
Why it matters
This incident highlights a new level of threat where attackers bypass traditional credential safeguards by exploiting vulnerabilities in CI/CD automation tools like GitHub Actions. The attacker’s ability to extract OpenID Connect tokens from the build runner’s process memory and then publish malicious code via a trusted pipeline reveals critical security gaps in supply chain and software distribution mechanisms.
The wide scale of the Mini Shai-Hulud worm campaign, which has compromised over 170 npm and PyPI packages with a combined download count exceeding 518 million, signals a systemic risk to the entire open source ecosystem. Other affected organizations include Mistral AI, UiPath, OpenSearch, and Guardrails AI. This incident serves as a cautionary example of how automation and supply chain trust assumptions can be weaponized against major software producers and consumers.
What to watch next
OpenAI is currently rotating credentials, restricting code deployment workflows, and enforcing code-signing certificate updates, leading to forced updates on the ChatGPT macOS application. Monitoring how OpenAI and TanStack further shore up their build environments and release pipelines will be key to preventing repeat incidents. Their response strategy draws a clear distinction between a corporate security breach and any impact on end users or customer products.
Meanwhile, the broader security community must watch for further Mini Shai-Hulud variants as ongoing GitHub Actions vulnerabilities remain exploitable. Organizations using CI/CD automation with open source dependencies will need to re-evaluate their trust boundaries, deploy stronger runtime protections on build runners, and keep a close watch for supply chain compromises potentially targeting other critical packages or tools.