OpenAI Confirms Developer Devices Breached via TanStack Supply Chain Attack — Code-Signing Certificates Rotated

OpenAI confirmed that two developer machines were breached as a result of the TanStack npm supply chain attack that occurred on 11 May 2026, in which threat actors published 84 malicious package versions across 42 @tanstack/* packages using hijacked OIDC tokens. The OpenAI developers ran npm install during the six-minute window in which the malicious packages were live on the npm registry, causing the postinstall credential-stealing hooks to execute and exfiltrate credentials including npm access tokens and code-signing certificate private keys.

What Was Compromised

OpenAI’s investigation determined that the malicious postinstall script executed on two developer workstations and exfiltrated:

• npm access tokens: Scoped tokens for packages in OpenAI’s npm organisation. These were revoked within two hours of OpenAI detecting the incident.
• Code-signing certificate private keys: Certificate keys used to sign certain OpenAI-published npm packages and internal tools. OpenAI rotated all affected certificates and issued revocations through the Certificate Transparency log and their certificate authority.
• Environment variables: Build environment variables including API keys for internal services. These were rotated.

OpenAI stated that source code repositories were not accessed directly, but acknowledged that the exfiltrated npm tokens would have provided write access to certain package repositories if used before revocation. An investigation is ongoing to determine whether the threat actors used the stolen tokens before OpenAI’s revocation.

Downstream Risk

The combination of stolen npm tokens and code-signing certificates creates a secondary supply chain risk: if the threat actors used the stolen tokens to publish malicious versions of any OpenAI-published npm packages before revocation, those packages could have reached downstream consumers including developers using the OpenAI JavaScript SDK and related tooling.

OpenAI has asked consumers of its npm packages to verify package signatures against the rotated certificates and to check their package-lock.json files for any OpenAI npm packages published on 11–12 May 2026 to identify potentially affected versions. OpenAI confirmed that the openai package on npm (the primary OpenAI API client) was not affected, as it uses a separate publishing pipeline with different credentials.

Industry Implications

The OpenAI breach confirmation elevates the TanStack supply chain incident from a vulnerability in a single project’s CI configuration to a confirmed supply chain attack that reached a major AI company’s development environment. The incident illustrates the multiplier effect of npm supply chain attacks: compromising one project’s CI/CD can yield credentials that provide write access to dozens of other packages across multiple organisations.

Recommended Actions

• Audit @tanstack package versions: Confirm your project is using safe @tanstack/* versions per the TanStack security advisory. The malicious window was 19:20–19:26 UTC on 11 May.
• Verify OpenAI npm packages: If consuming any @openai/* or openai npm packages, verify package integrity against current checksums and review any packages installed on 11–14 May during the investigation window.
• Review your own CI/CD: Assess whether your organisation’s CI/CD pipelines use pull_request_target triggers that could expose your npm tokens or code-signing keys to the same Pwn Request attack pattern.
• Credential hygiene audit: Use this incident as a trigger to audit which CI/CD workflows have access to npm tokens, code-signing keys, and cloud credentials, and ensure least-privilege scoping.