OpenAI confirmed on Wednesday that two corporate laptops and limited credential material were compromised in the Mini Shai-Hulud npm supply chain worm that hijacked TanStack's release pipeline mid-build. The campaign has now infected more than 170 packages across npm and PyPI, with the affected packages representing a cumulative download count exceeding 518 million, according to OX Security.

What Happened

Between 19:20 and 19:26 UTC on 11 May, attackers published 84 malicious artefacts across 42 packages in the @tanstack namespace, including @tanstack/react-router, a package pulling more than 12.7 million weekly downloads. OpenAI engineers consuming TanStack dependencies pulled the trojanised releases into the company's corporate environment, where two employee devices were subsequently flagged as affected. OpenAI says no user data was accessed, no products were compromised, and no shipped software was altered. The affected machines have been isolated, code-deployment workflows have been temporarily restricted, and code-signing certificates are being rotated, which is the reason macOS users of the ChatGPT desktop app are receiving forced application updates this week.

What Was Taken

OpenAI disclosed that limited credential material was exfiltrated from internal code repositories on the two compromised laptops. The company explicitly stated that passwords and API keys were not among the exfiltrated material, and that no user data, customer information, or production product surface was touched. Credential rotation across the affected scope is in progress. Beyond OpenAI's footprint, the wider Mini Shai-Hulud campaign has compromised releases from Mistral AI, UiPath, OpenSearch, and Guardrails AI, harvesting tokens and developer secrets from every contaminated build environment it has reached.

Why It Matters

This is the first documented npm worm in history that ships with a valid signed certificate of authenticity, in the words of TanStack maintainer Tanner Linsley. The malicious releases were not the product of phishing or credential theft against the maintainer. They were published through TanStack's own legitimate release pipeline using its trusted OIDC identity, which means every downstream defensive control that relies on package provenance, signature validation, or trusted-publisher attestation treated the poisoned artefacts as legitimate. For consumers, this collapses the distinction between a compromised upstream account and a compromised upstream build system. Microsoft Security Research is tracking the activity as the same threat cluster that operated under the Shai-Hulud 2.0 banner in November and December 2025, and as a self-replicating descendant of the original npm worm that first appeared in September 2025.

The Attack Technique

The attackers did not steal an npm password. Instead, an attacker-controlled fork triggered TanStack's GitHub Actions release workflow and hijacked the runner mid-build, extracting the OIDC token directly from the runner's process memory. With that short-lived token in hand, the worm published the malicious artefacts through the legitimate publishing path, inheriting the project's trusted-publisher status on npm. Once installed, the malicious packages execute postinstall logic that scavenges environment variables, cloud metadata, and developer credentials from the host, then attempts to propagate by republishing trojanised versions of any packages the victim has publish rights to. That self-replicating fan-out is what has driven the campaign past 170 compromised packages and is the mechanism that pulled OpenAI's corporate developer machines into scope.

What Organizations Should Do

1. Audit dependency manifests for any @tanstack package versions published between 19:20 and 19:26 UTC on 11 May, and quarantine any developer workstation or CI runner that resolved them.
2. Rotate all developer credentials, cloud tokens, npm and PyPI publish tokens, and GitHub Personal Access Tokens that may have been present on affected build hosts or workstations.
3. Pin npm and PyPI dependencies to known-good versions predating 11 May and enforce lockfile integrity, rather than relying solely on publisher trust or provenance attestation.
4. Harden GitHub Actions release pipelines by restricting pull_request_target and fork-triggered workflows, scoping OIDC token permissions to the minimum required, and isolating publish steps to dedicated runners that never execute untrusted code.
5. Hunt for indicators of postinstall execution: outbound traffic to attacker infrastructure, unexpected republish events on owned npm or PyPI packages, and credential-harvesting behaviour from Node and Python install processes.
6. Subscribe to OX Security, Socket, and Microsoft Security Research feeds tracking Shai-Hulud variants, and treat any package shipped from a public-fork-triggered pipeline as untrusted until proven otherwise.

Sources: OpenAI says no user data was touched in the TanStack npm worm