### OpenAI's Response to the TanStack Attack **OpenAI** confirmed that the compromise did not affect user data, production systems, or intellectual property. "Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to protect our systems," the company stated. The attackers gained unauthorized access to a limited subset of internal source code repositories, potentially exfiltrating some credential material. **OpenAI** responded by isolating impacted systems, revoking user sessions, and rotating credentials across affected repositories. They also temporarily restricted code-deployment workflows and audited user and credential behavior. ### Certificate Revocation and macOS Updates Because the compromised repositories included signing certificates for iOS, macOS, and Windows products, **OpenAI** has revoked the certificates and issued new ones. macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas are required to update their apps to the latest versions to prevent the distribution of potentially fake apps. The certificates are scheduled to be revoked on June 12, 2026. Users of Windows and iOS apps do not need to take any action. This marks the second time **OpenAI** has rotated its code-signing certificates for macOS within a short period. In mid-April 2026, they revoked certificates after a GitHub Actions workflow led to the download of the malicious Axios library, compromised by the North Korean hacking group **UNC1069**. ### The Broader Threat Landscape **OpenAI** emphasized that this incident reflects a growing trend where attackers target shared software dependencies and development tooling. The interconnected nature of modern software development makes it vulnerable to upstream vulnerabilities that can quickly spread across organizations. ### TeamPCP's Expanding Campaign **TeamPCP** has claimed responsibility for compromising hundreds of packages associated with **TanStack**, **UiPath**, **Mistral AI**, **OpenSearch**, and **Guardrails AI**. This ongoing supply chain attack aims to distribute malware and steal credentials from developers' systems, further expanding the scope of the breaches. **TanStack** clarified that no maintainer accounts were directly compromised. Instead, the attackers engineered a path to steal the CI pipeline's publish token through a trusted cache, highlighting the sophistication of the attack. ### Supply Chain Attack Contest Adding another layer of concern, **TeamPCP** has announced a supply chain attack contest in partnership with **Breached** cybercrime, offering $1,000 in Monero to those who successfully compromise open-source packages using the **Shai-Hulud worm**. The group has also threatened to leak 5GB of internal source code from **Mistral AI**, demanding $25,000 for its non-disclosure. **Mistral AI** confirmed that it was impacted by the **TanStack** compromise, resulting in trojanized versions of its npm and PyPI SDKs. They also reported that one developer device was affected. There is no evidence to suggest its infrastructure was breached. ### Technical Analysis of the Malware A detailed analysis of the modular Python toolkit used in the attack reveals that the primary command-and-control (C2) server address ("83.142.209[.]194") is hard-coded. If the primary C2 is unreachable, a fallback mechanism called FIRESCALE is activated. According to **Hunt.io**, FIRESCALE searches public GitHub commit messages for a signed alternative server URL, verified against an embedded 4096-bit RSA key. Exfiltration occurs through the primary C2 server, FIRESCALE redirect, or the victim's own GitHub repository. The malware's AWS credential harvesting module targets all 19 availability zones, including AWS GovCloud regions. Interestingly, the malware exhibits destructive behavior on machines geolocated to Israel or Iran, playing audio at maximum volume and deleting accessible files. This behavior, along with the presence of the malware on systems with a Russian locale, suggests a deliberate and targeted operation. ### Infrastructure Analysis Analysis of the attacker-controlled infrastructure revealed that three different IP addresses in the 83.142.209[.]0/24 subnet have served as C2 servers: 83.142.209[.]194, 83.142.209[.]11, and 83.142.209[.]203. The latter two were used in previous attacks targeting **Checkmarx** and **Telnyx**. Esteban Borges, head of research at **Hunt.io**, noted that the C2 addresses were first seen with SSH active months before the **TanStack** attack, indicating a period of infrastructure aging. **Hunt.io** identified the FIRESCALE tool and the modular Python malware as part of a larger toolkit used by **TeamPCP**, including a cloud stealer, a cryptocurrency miner, and VECT ransomware.