Dateline: May 15, 2026
How a Six-Minute Window Compromised 170 Packages and Reached OpenAI
OpenAI became the most high-profile casualty of a coordinated software supply chain attack that unfolded on May 11, 2026, when a financially motivated threat group known as TeamPCP compromised over 170 npm and PyPI packages used by developers worldwide.
What Happened
On May 11, 2026, TanStack, a widely used open-source library, was compromised as part of a broader software supply chain attack known as Mini Shai-Hulud. Two employee devices in OpenAI’s corporate environment were impacted.
The attack did not start with OpenAI. TeamPCP published 84 malicious npm package artifacts across 42 packages in the @tanstack namespace between 19:20 and 19:26 UTC. The packages were not published by an attacker who stole credentials. They were published by TanStack’s own legitimate release pipeline, using its trusted OIDC identity, after attacker-controlled code hijacked the runner mid-workflow.
The attack chained three vulnerabilities.
- The attacker forked the TanStack router repository
- Opened a pull request that triggered a pull_request_target workflow
- Poisoned the GitHub Actions cache with a malicious pnpm store
When legitimate maintainer activity later triggered the release workflow, the poisoned cache was restored and attacker-controlled binaries extracted OIDC tokens directly from the GitHub Actions runner process memory.
The result: malicious packages that looked completely legitimate, published through trusted pipelines, carrying valid cryptographic attestations. This is the first documented case of a malicious npm package carrying valid SLSA provenance, a cryptographic certificate generated by Sigstore meant to verify a package was built from a trusted source.
The Impact
At OpenAI, the damage was contained but not trivial. Unauthorized access and credential-focused exfiltration activity occurred in a limited subset of internal source code repositories to which the two impacted employees had access. Only limited credential material was successfully exfiltrated.
The near-miss was significant. Analysts noted the attackers were close to being able to sign malicious code as official OpenAI software. As a precaution, OpenAI is rotating code-signing certificates for its applications, a move that requires all macOS users to update their apps, including ChatGPT and Codex, by June 12th.
OpenAI was not the only target. The attack compromised packages across multiple namespaces simultaneously, including:
- @mistralai
- @uipath
- @tanstack ecosystems
In total, the campaign produced 373 malicious package-version entries spanning 169 npm package names and 2 PyPI packages. TeamPCP also briefly published the Shai-Hulud source code on GitHub before it was removed, raising the risk of copycat variants.
How to Protect Your Environment
If your team installs npm or PyPI packages as part of any development or CI/CD workflow, treat this as an active exposure issue, not a news story.
Immediate steps:
- Search your lockfiles and CI logs for any @tanstack package versions installed on May 11, 2026.
- Check .claude/ and .vscode/ directories for router_runtime.js or setup.mjs. These payload files survive npm uninstall.
- Block git-tanstack.com and *.getsession.org at the DNS or proxy level.
- Rotate all credentials reachable from any affected machine or runner, including GitHub tokens, npm tokens, AWS and GCP credentials, Kubernetes service accounts, and CI/CD secrets.
- Remove the gh-token-monitor daemon from developer machines before revoking GitHub tokens to avoid triggering the wiper behavior.
- Upgrade to clean package versions published after May 12, 2026.
If Your Supply Chain Looks Like This, You Have a Visibility Problem
Most organizations that got hit by Mini Shai-Hulud were not running unvetted software. They were running packages that passed every automated check, published through pipelines they trusted, carrying certificates that said legitimate. That is the point. The attack was designed to be invisible to the standard controls.
Secure.com’s AppSec Teammate is built for exactly this kind of threat, where the danger is not a known bad package but a trusted one that has been quietly turned.
- Continuous software composition analysis across your npm and PyPI dependencies, flagging new or modified package versions the moment they are published.
- CI/CD pipeline monitoring that surfaces unexpected behavior in build workflows, including unauthorized token usage and anomalous publish events.
- Real-time credential exposure detection so that exfiltrated tokens are identified and rotated before they can be used for lateral movement.
- Third-party dependency mapping that shows which internal repositories and systems are reachable from a compromised package install.
- Automated alerting on new package versions in your lockfile, with a quarantine window before they are allowed into production pipelines.
The packages looked legitimate. The pipeline was trusted. The attestation was valid. None of that stopped the attack. What stops it is knowing the moment something in your supply chain changes.
