What happened
OpenAI has urged macOS users to update their applications by June 12, 2026, after a supply chain attack compromised the signing certificates the company uses to authenticate its software. The attack, part of a broader campaign targeting the TanStack open-source library and additional npm and PyPI packages, resulted in two OpenAI employee devices being compromised, with credential-focused exfiltration activity observed in a limited subset of internal source code repositories those employees could access.
OpenAI confirmed that limited credential material was exfiltrated from repositories covering its iOS, macOS, and Windows products, but said no customer data was stolen and no unauthorized modifications to published software were found. The company isolated affected systems, revoked user sessions, rotated credentials, and is coordinating with platforms to block new notarizations using the compromised certificates. macOS users must install updates containing new certificates; Windows and iOS users do not need to take action. Any fake apps using the affected certificates will be blocked by default by macOS unless users explicitly bypass protections.
The broader TanStack attack, attributed to TeamPCP, compromised 84 npm package artifacts on Sunday across packages with up to 12 million weekly downloads. The malware steals credentials from common locations and self-propagates by targeting other packages the victim maintains and republishing them with the same infostealer. UK government officials said the malicious packages were uploaded in two phases on April 29 and May 11. Mistral AI also confirmed it was impacted, with TeamPCP temporarily compromising one of its codebase management systems on May 12 through the same supply chain attack vector. TeamPCP subsequently offered stolen Mistral AI internal repositories and source code for sale.
TeamPCP has been linked to a series of escalating supply chain compromises including the LiteLLM attack in April, a stolen Amazon API key used to breach the European Commission, and the broader Shai-Hulud campaign targeting npm and PyPI ecosystems. OpenAI noted that following a separate supply chain attack by alleged North Korean hackers in March, it had accelerated deployment of security controls to reduce supply chain attack impact.
Who is affected
macOS users of OpenAI applications must update before June 12 or face loss of updates and potential service disruption. Developers who installed compromised TanStack npm packages face credential exposure across cloud environments, source code repositories, and publishing accounts. Mistral AI’s codebase management systems were also compromised, though the company stated hosted services, managed user data, and research environments were not affected.
Why CISOs should care
TeamPCP has now compromised TanStack, LiteLLM, the European Commission, Mistral AI, and indirectly OpenAI within a compressed timeframe, establishing it as one of the most operationally active supply chain threat actors documented in 2026. The self-propagating behavior of the TanStack malware, which republishes infected versions of packages the compromised developer maintains, creates an exponential spread mechanism that amplifies the reach of each successful developer account compromise.
The OpenAI signing certificate compromise also illustrates a supply chain risk that sits above the package level: when attacker access reaches the credentials used to authenticate software itself, the trust mechanism that users rely on to verify legitimate software is directly undermined.
3 practical actions
- Update all OpenAI macOS applications immediately and do not wait for the June 12 deadline: The new certificates are available now. Delaying leaves a window where the compromised certificates remain in use, and June 12 represents the cutoff for support rather than a recommended update date.
- Audit developer environments for TanStack npm package exposure and rotate all credentials on affected systems: Check for compromised TanStack package versions across all development environments, CI/CD pipelines, and container images. Any system where affected packages were installed should be treated as a confirmed credential compromise requiring full rotation of cloud credentials, npm tokens, GitHub tokens, and API keys.
- Review your organization’s exposure to TeamPCP’s documented attack infrastructure and indicators: TeamPCP has published indicators across multiple incidents including TanStack, LiteLLM, Checkmarx, and the European Commission breach. Consolidate these IoCs into your threat intelligence platform and run retrospective hunts across your environment logs for any evidence of prior contact with TeamPCP infrastructure.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.