Security, News & Updates

OpenAI macOS App Expires June 12 After TanStack Supply Chain Hit

OpenAI confirmed two employee devices and its app signing keys were compromised in the Mini Shai-Hulud TanStack npm attack. macOS users must update before June 12 or the desktop app stops working.

3 min read
OpenAI macOS App Expires June 12 After TanStack Supply Chain Hit

Image by OpenAI

OpenAI macOS App Expires June 12 After TanStack Supply Chain Hit

OpenAI today confirmed that two of its employee devices were compromised by the Mini Shai-Hulud npm supply chain attack that swept through the TanStack ecosystem on May 11. The company says no user data was accessed and no production systems were touched, but the incident has a direct consequence for every developer running an OpenAI desktop app on macOS: update before June 12, 2026, or the app will stop working.

The attack, attributed to threat group TeamPCP and tracked as CVE-2026-45321 with a CVSS score of 9.6, published 84 malicious npm artifacts across 42 packages in the @tanstack namespace — including @tanstack/react-router, which pulls more than 12.7 million downloads a week. The compromised packages were published using TanStack's own legitimate release pipeline by chaining three GitHub Actions weaknesses: a pull_request_target "Pwn Request" misconfiguration, cross-fork cache poisoning, and runtime extraction of an OIDC token from the Actions runner process memory. The result was malicious packages that carried valid SLSA provenance, meaning standard supply chain verification would not have flagged them.

What OpenAI Disclosed

OpenAI said its code-signing certificates for Windows, macOS, iOS, and Android applications were among the credential material exfiltrated from the affected internal repositories. The company has already revoked the ability to notarize further apps with the compromised certificate, so any fraudulent software impersonating OpenAI tools will now be blocked by macOS Gatekeeper by default. It is re-signing all applications with new certificates and distributing the updates through each platform's standard update channel.

The June 12 deadline is firm. Once Apple finalizes revocation, new downloads and first-time launches of apps still signed with the old certificate will be blocked. OpenAI set the window to minimize disruption for users who update through the app's built-in mechanism. Developers and users who let the macOS app sit unupdated past that date will need to do a clean reinstall.

On the internal side, OpenAI's post-incident hardening includes tightening credential storage in its CI/CD pipeline, rolling out package manager configurations with controls such as minimumReleaseAge to slow down newly published packages, and deploying additional tooling to validate package provenance before install. The two affected employee devices had not yet received these updated configurations at the time of the attack.

The Developer Remediation Checklist

The broader TanStack attack is the more immediately pressing concern for the developer community. Anyone whose build pipelines ran npm install on May 11, 2026 and pulled a @tanstack/* package should treat that install environment as potentially compromised. The attack spread beyond TanStack, affecting 65 UiPath packages, Mistral AI's npm and PyPI packages, the OpenSearch JavaScript client, and the Guardrails AI PyPI package — bringing the total to more than 170 packages with roughly 518 million cumulative downloads.

The mandatory remediation checklist from TanStack's own postmortem and Snyk's analysis:

  • Audit lock files and CI logs for any @tanstack/* versions published during the attack window (May 11, 2026)
  • Rotate all credentials from affected install environments: npm tokens, GitHub PATs, AWS/GCP/Azure credentials, Kubernetes service account tokens, and CI/CD secrets
  • Check for the persistence daemon at ~/Library/LaunchAgents/com.user.gh-token-monitor.plist on macOS or ~/.config/systemd/user/gh-token-monitor.service on Linux and remove it before revoking any tokens
  • Inspect .claude/ and .vscode/ directories for payload files such as router_runtime.js or setup.mjs, which survive a standard npm uninstall
  • Block at the DNS or proxy level: git-tanstack[.]com, *.getsession.org, and 83.142.209[.]194
  • Upgrade to clean versions published after May 12, 2026 by verified TanStack maintainers

Confirmed-clean TanStack families: @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, and @tanstack/store. The compromised families centered on router, start, devtools, and adapter packages.

What Is Still Unknown

OpenAI has not named the specific types of credential material beyond confirming it was pulled from a limited subset of internal repositories. Whether any of those credentials were acted upon after exfiltration — beyond the signing certificate rotation that the company has already disclosed — has not been confirmed.

Separately, the Session messenger dead-drop channel used by the TeamPCP campaign is a new capability introduced in this fourth wave of Mini Shai-Hulud attacks, and it is harder to disrupt than the domain-based exfiltration channels used in earlier campaigns. Snyk and Aikido have noted that at least 400 repositories with stolen credentials were created as part of this wave; how many remain active has not been confirmed.

For developers relying on OpenAI's macOS desktop tools, the immediate action is simple: open the app and update now. For any engineering team whose CI ran npm install on May 11, credential rotation is not optional.

Share:

Other Latest News

Anthropic Brings Back Third-Party Agents on Claude With Monthly SDK Credits
AI Agents, News & Updates

Anthropic Brings Back Third-Party Agents on Claude With Monthly SDK Credits

Anthropic has reversed its April ban on third-party agent tools, introducing new monthly "Agent SDK" credits on all paid Claude plans—but the move ends the era of subsidized agentic compute on flat subscriptions, effective June 15.

May 14, 2026
Cursor Ships Controlled Dev Environments for Cloud Agents
AI Agents, News & Updates, Code Editors

Cursor Ships Controlled Dev Environments for Cloud Agents

Cursor's new release gives teams full control over the environments their cloud agents run in — with multi-repo support, Dockerfile-based config, 70% faster builds, and environment-level audit logs.

May 14, 2026
Claude Code Launches Agent View for Parallel Session Management
AI Agents, News & Updates

Claude Code Launches Agent View for Parallel Session Management

Anthropic shipped Agent View—a unified CLI dashboard for managing parallel Claude Code sessions—and revealed doubled rate limits for all paid plans at its annual Code w/ Claude SF developer conference.

May 13, 2026
Google Turns Android Into an Intelligence System With Gemini
AI Agents, News & Updates, Vibe Coding

Google Turns Android Into an Intelligence System With Gemini

At the Android Show 2026, Google unveiled Gemini Intelligence — an agentic AI layer that automates tasks across apps, introduces natural-language widget building, and reshapes how Android developers need to think about their apps.

May 13, 2026
Windsurf Adds Opus 4.7 Fast Mode With 2.5× Output Speeds
AI Agents, News & Updates, Code Editors

Windsurf Adds Opus 4.7 Fast Mode With 2.5× Output Speeds

Windsurf adds Opus 4.7 fast mode to its AI-native IDE, delivering the full intelligence of Anthropic's latest Opus model at up to 2.5x higher output speeds — a meaningful upgrade for developers running parallel agentic sessions.

May 13, 2026
Cursor Brings Cloud Agents to Microsoft Teams
AI Agents, News & Updates, Code Editors

Cursor Brings Cloud Agents to Microsoft Teams

Cursor's new Microsoft Teams integration lets developers @mention a cloud agent directly from any Teams channel — the agent automatically selects the right repo and model, reads the full thread for context, and opens a PR for review.

May 12, 2026
← Scroll for more →