OpenAI macOS App Expires June 12 After TanStack Supply Chain Hit
OpenAI confirmed two employee devices and its app signing keys were compromised in the Mini Shai-Hulud TanStack npm attack. macOS users must update before June 12 or the desktop app stops working.
Image by OpenAI
OpenAI macOS App Expires June 12 After TanStack Supply Chain Hit
OpenAI today confirmed that two of its employee devices were compromised by the Mini Shai-Hulud npm supply chain attack that swept through the TanStack ecosystem on May 11. The company says no user data was accessed and no production systems were touched, but the incident has a direct consequence for every developer running an OpenAI desktop app on macOS: update before June 12, 2026, or the app will stop working.
The attack, attributed to threat group TeamPCP and tracked as CVE-2026-45321 with a CVSS score of 9.6, published 84 malicious npm artifacts across 42 packages in the @tanstack namespace — including @tanstack/react-router, which pulls more than 12.7 million downloads a week. The compromised packages were published using TanStack's own legitimate release pipeline by chaining three GitHub Actions weaknesses: a pull_request_target "Pwn Request" misconfiguration, cross-fork cache poisoning, and runtime extraction of an OIDC token from the Actions runner process memory. The result was malicious packages that carried valid SLSA provenance, meaning standard supply chain verification would not have flagged them.
What OpenAI Disclosed
OpenAI said its code-signing certificates for Windows, macOS, iOS, and Android applications were among the credential material exfiltrated from the affected internal repositories. The company has already revoked the ability to notarize further apps with the compromised certificate, so any fraudulent software impersonating OpenAI tools will now be blocked by macOS Gatekeeper by default. It is re-signing all applications with new certificates and distributing the updates through each platform's standard update channel.
The June 12 deadline is firm. Once Apple finalizes revocation, new downloads and first-time launches of apps still signed with the old certificate will be blocked. OpenAI set the window to minimize disruption for users who update through the app's built-in mechanism. Developers and users who let the macOS app sit unupdated past that date will need to do a clean reinstall.
On the internal side, OpenAI's post-incident hardening includes tightening credential storage in its CI/CD pipeline, rolling out package manager configurations with controls such as minimumReleaseAge to slow down newly published packages, and deploying additional tooling to validate package provenance before install. The two affected employee devices had not yet received these updated configurations at the time of the attack.
The Developer Remediation Checklist
The broader TanStack attack is the more immediately pressing concern for the developer community. Anyone whose build pipelines ran npm install on May 11, 2026 and pulled a @tanstack/* package should treat that install environment as potentially compromised. The attack spread beyond TanStack, affecting 65 UiPath packages, Mistral AI's npm and PyPI packages, the OpenSearch JavaScript client, and the Guardrails AI PyPI package — bringing the total to more than 170 packages with roughly 518 million cumulative downloads.
The mandatory remediation checklist from TanStack's own postmortem and Snyk's analysis:
- Audit lock files and CI logs for any @tanstack/* versions published during the attack window (May 11, 2026)
- Rotate all credentials from affected install environments: npm tokens, GitHub PATs, AWS/GCP/Azure credentials, Kubernetes service account tokens, and CI/CD secrets
- Check for the persistence daemon at
~/Library/LaunchAgents/com.user.gh-token-monitor.pliston macOS or~/.config/systemd/user/gh-token-monitor.serviceon Linux and remove it before revoking any tokens - Inspect
.claude/and.vscode/directories for payload files such asrouter_runtime.jsorsetup.mjs, which survive a standardnpm uninstall - Block at the DNS or proxy level:
git-tanstack[.]com,*.getsession.org, and83.142.209[.]194 - Upgrade to clean versions published after May 12, 2026 by verified TanStack maintainers
Confirmed-clean TanStack families: @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, and @tanstack/store. The compromised families centered on router, start, devtools, and adapter packages.
What Is Still Unknown
OpenAI has not named the specific types of credential material beyond confirming it was pulled from a limited subset of internal repositories. Whether any of those credentials were acted upon after exfiltration — beyond the signing certificate rotation that the company has already disclosed — has not been confirmed.
Separately, the Session messenger dead-drop channel used by the TeamPCP campaign is a new capability introduced in this fourth wave of Mini Shai-Hulud attacks, and it is harder to disrupt than the domain-based exfiltration channels used in earlier campaigns. Snyk and Aikido have noted that at least 400 repositories with stolen credentials were created as part of this wave; how many remain active has not been confirmed.
For developers relying on OpenAI's macOS desktop tools, the immediate action is simple: open the app and update now. For any engineering team whose CI ran npm install on May 11, credential rotation is not optional.
