OpenAI States No User Data Compromised in TanStack NPM Worm Incident
May 14, 2026 – 8:20 am
Two corporate laptops, some credential material, and a forced macOS app update. The intriguing part is how the malicious packages got published in the first place: not by a stolen npm password, but by TanStack’s own legitimate release pipeline, after the attacker code took over the runner mid-build.
OpenAI stated on Wednesday that it found no evidence of user data access, product compromises, or its software alterations following a supply-chain compromise of TanStack NPM packages earlier this week.
Two employee devices within OpenAI’s corporate environment were affected, the company revealed in a notice published on its website. Limited credential material was exfiltrated from internal code repositories. Passwords and API keys were not compromised.
The intriguing aspect lies in how the malicious packages entered the system. On May 11th, between 7:20 and 7:26 UTC, 84 malicious artifacts were uploaded across 42 packages within the @tanstack namespace, including @tanstack/react-router (with over 12.7 million weekly downloads).
They weren’t uploaded by an attacker who had phished an npm credential. They were uploaded via TanStack’s legitimate release pipeline using its trusted OIDC identity, after an attacker-controlled fork hijacked a GitHub Actions runner mid-workflow and extracted the OIDC token directly from the runner’s process memory.
TanStack maintainer Tanner Linsley accurately described this as the first documented npm worm to ship with a valid signed certificate of authenticity.
This campaign is known as Mini Shai-Hulud, a self-replicating descendant of the original worm that hit the npm registry in September 2025. It has since compromised over 170 packages across npm and PyPI from notable organizations like Mistral AI, UiPath, OpenSearch, and Guardrails AI, amassing over 518 million cumulative downloads (according to OX Security). Microsoft Security Research tracks it as the same campaign responsible for activities in November and December 2025 under the Shai-Hulud 2.0 banner.
OpenAI’s exposure stems from this fan-out. The company hasn’t disclosed which TanStack package its developers were using when the compromise occurred, stating only that affected machines have been isolated and credential rotation is underway. Code-deployment workflows have been temporarily restricted, and code-signing certificates are being rotated—which is why macOS users of the ChatGPT desktop app are experiencing forced application updates this week.
OpenAI’s framing of the incident is narrow on purpose. The company draws a clear distinction between its corporate engineering environment (where the breach occurred) and its product surface (where, they assure, nothing was touched). This distinction is vital for understanding the difference between a workplace IT incident and a customer-facing security event—and OpenAI wants to be crystal clear that this isn’t the latter.
The broader implications are less clear. Mini Shai-Hulud exploited three vulnerabilities in GitHub Actions (a pull_request_target trigger, cache poisoning, and an unauthorized access control bypass). This incident underscores the growing sophistication of supply-chain attacks and their potential reach.