What Happened: A Mac Supply Chain Attack Via npm
OpenAI has issued an urgent security advisory for users of its macOS apps after a Mac supply chain attack involving compromised npm packages. The incident began when malware from the Mini Shai-Hulud campaign infiltrated two OpenAI employee devices through malicious versions of a popular npm dependency. These packages, tied to the Tanstack ecosystem, were pushed to npm in dozens of tainted releases before being quickly flagged and removed by security researchers. Although OpenAI reports no evidence that customer data, production systems, or intellectual property were accessed or altered, the attackers did reach a subset of internal source code repositories. The critical concern is not that existing apps suddenly became dangerous, but that sensitive signing materials within those repositories could be abused. That risk has triggered a sweeping OpenAI security update focused on app certificates and Mac user action.
How Tanstack and npm Malware Threats Entered the Picture
The breach traces back to an npm malware threat hidden inside Tanstack packages, widely used for web development. An attacker published 84 malicious versions across 42 Tanstack npm packages, some of which receive millions of weekly downloads. The malicious code executed during the npm install lifecycle, quietly attempting to exfiltrate developer credentials such as GitHub tokens, API keys, and secrets for cloud environments. Tanstack has warned that anyone who installed affected versions on 2026-05-11 must treat their install host as potentially compromised. OpenAI later confirmed that two employee devices in its corporate environment installed those malicious Tanstack versions. Subsequent investigation revealed activity consistent with credential-stealing malware and unauthorized access to a limited number of internal repositories. While OpenAI found no signs of tampering with released software, the event underscores how a single dependency in the npm supply chain can cascade into organization-wide risk.
Why Exposed Signing Certificates Are a Big Deal for Mac Users
Among the internal repositories accessed were those containing private signing certificates for OpenAI’s apps, including ChatGPT, Codex, and Atlas on macOS, alongside certificates for iOS and Windows. These code-signing certificates are what operating systems rely on to verify that applications are legitimate and unmodified. If attackers were to obtain and abuse such certificates, they could sign their own malware, making it appear as a trusted OpenAI app and potentially bypassing built-in security checks on macOS. OpenAI says it has found no evidence that any malicious software has been signed with its certificates. However, the possibility of app spoofing is serious enough that the company is rotating all affected certificates and coordinating with platform providers to block new notarization under the old keys. The practical risk now shifts to whether users install the new, correctly signed versions in time.
What You Must Do Now: Required ChatGPT Mac Update and More
If you use OpenAI’s Mac apps, you need to apply the latest OpenAI security update before the June 12 deadline. OpenAI will fully revoke the old macOS certificates on that date, after which new downloads and first-time launches of apps signed with the previous certificate may be blocked by macOS security protections. The required minimum versions are: ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. Install these only via in-app updates or from OpenAI’s official download links—not from email attachments, ads, chat messages, file-sharing links, or third-party sites. OpenAI notes that Windows and iOS users do not need to take special action beyond normal updates. For Mac users, however, updating promptly helps prevent attackers from exploiting any stolen signing materials to distribute fake OpenAI apps.
Lessons for Developers: Securing the Software Supply Chain
Beyond the immediate Mac supply chain attack, this incident illustrates how fragile modern software ecosystems can be when they rely heavily on third-party dependencies. A single compromised npm package—especially one as popular as the affected Tanstack components—can become an attack vector into developer laptops, source code repositories, and internal credentials. The OpenAI case shows that even when user data and production systems remain intact, exposed secrets like signing certificates can create long-lived risks for software integrity. For developers, this is a reminder to harden the build pipeline: lock and audit dependencies, monitor npm install behavior, and treat development machines as high-value targets. Organizations should also implement strict key management, minimize where signing materials are stored, and use rapid certificate rotation playbooks. As npm malware threats grow, proactive supply chain security is no longer optional—it is essential to protecting both developers and end users.