Our Response to the TanStack npm Supply Chain Attack
OpenAI, Wednesday, May 13th, 2026
OpenAI disclosed a TanStack npm supply chain attack but found no evidence of user data or product compromise.
OpenAI identified a security issue involving the compromised TanStack npm open-source library as part of the broader Mini Shai-Hulud attack that impacted two employee devices. The company found no evidence that user data, production systems, or intellectual property were compromised, though some credential material was exfiltrated from limited internal source code repositories.
As a precautionary measure, OpenAI is rotating code-signing certificates and requiring macOS users to update their applications by June 12, 2026, while Windows and iOS users do not need to take action. The company has implemented additional security controls and is working with platform providers to prevent unauthorized use of the impacted certificates.