# OpenAI Responds to Supply Chain Attack Targeting TanStack and Other AI Companies **OpenAI** is mandating that macOS users update their applications by June 12 to mitigate the impact of a recent supply chain attack. After this date, older versions will no longer receive updates or support, and the service may cease to function. The new certificates included in the update will help users verify that the software originates from **OpenAI**. ## Scope of the Attack The attack is part of a broader campaign impacting the open-source library **TanStack** and other npm and PyPI packages associated with several AI companies. **OpenAI** disclosed in a blog post that two employee devices within its corporate network were affected. An incident response firm was engaged to investigate and contain the breach. "We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access," **OpenAI** stated. The company confirmed that only limited credential material was exfiltrated from these repositories and that no other information or code was compromised. Impacted systems were isolated, user sessions revoked, and credentials rotated. **OpenAI** claims that a thorough scrutiny of user and credential behavior revealed no evidence of customer data theft. The affected source code repositories include those for iOS, macOS, and Windows products. While Windows and iOS users need not take action, macOS users must install the updates. **OpenAI** is also collaborating with other platforms to prevent unauthorized use of the compromised certificates by halting new notarizations. "We have also reviewed all notarization of software using our previous certificates to confirm no unexpected software signing has occurred with these keys, and validated that our published software did not have unauthorized modifications. We have found no evidence of compromise or risk to existing software installations," the company added. These measures ensure that any fake apps impersonating **OpenAI** and using the compromised certificates will be blocked by macOS by default, unless users explicitly bypass these protections. ## TanStack Attack Details The attack on **TanStack** raised alarms within the cybersecurity and developer community after 84 npm package artifacts were compromised. These packages were modified to include credential stealers targeting developers. Some of the affected packages have over 12 million weekly downloads and are widely used. **TanStack** warned that the malware not only steals credentials but also self-propagates, targeting other packages maintained by victims and republishing them with the same malware. UK government officials reported that the malicious packages were uploaded in two phases on April 29 and May 11. Avital Harel, security research lead at **Upwind**, explained that the attack is akin to downloading a legitimate software update, only to find hidden code designed to steal sensitive information such as passwords and access tokens. The downstream impact is significant, as attackers could gain access to company systems, software publishing accounts, or cloud environments, potentially affecting applications and services relied upon by millions. Harel noted the destructive behavior of the malware, which included actions targeting specific geographic regions, suggesting a sophisticated and intentional operation. ## TeamPCP's Role The group allegedly behind the incident, **TeamPCP**, offered stolen internal repositories and source code from **Mistral AI** for sale. **Mistral AI** confirmed it was impacted by the **TanStack** incident. A **Mistral AI** spokesperson stated that a codebase management system was "temporarily" compromised on May 12 through a third-party software supply chain attack. The company claims to have rapidly neutralized the attack and secured its infrastructure. "From this investigation, we have concluded that attackers did not access any data beyond certain non-core code repositories. Neither our hosted services, managed user data, nor any of our research and testing environments were compromised," the spokesperson said. **TeamPCP** was also responsible for an April attack on the open-source Python package **LiteLLM**, which led to breaches at organizations including **Mercor**. The group also used a stolen **Amazon** API key to breach the **European Commission** last month. Supply chain attacks have become a popular method for compromising large numbers of users and systems due to the interconnected nature of open-source libraries and package managers. **OpenAI** stated that it had accelerated the deployment of specific security controls and technologies to mitigate the impact of supply chain attacks following a previous incident in March linked to alleged North Korean hackers.