What Happened: TanStack Supply Chain Attack Hits OpenAI Developers
OpenAI has disclosed a supply chain attack that began with a popular web development library, TanStack, distributed via the npm ecosystem. An attacker published dozens of malicious versions of TanStack packages, some of which receive millions of weekly downloads, inserting malware into what appeared to be routine development dependencies. Two OpenAI employee devices in a corporate environment installed the compromised packages, triggering credential-stealing malware known as part of the Mini Shai-Hulud campaign. The malware targeted developer credentials, including GitHub tokens, API keys, and other internal secrets used in software development workflows. Although investigators found no evidence that customer data, production systems, or OpenAI’s intellectual property were accessed or altered, the incident did allow unauthorized access to a limited set of internal source code repositories. Critically, those repositories contained private app-signing certificates that are essential for proving OpenAI’s Mac software is legitimate.
Why Signing Certificates Matter for Mac Security
On macOS, code-signing certificates act like digital identity cards that prove an app truly comes from the developer it claims. Apple’s Gatekeeper and notarization systems rely on these certificates to decide whether software should be trusted, allowed to run, or blocked outright. In this incident, OpenAI confirmed that some internal repositories containing signing certificates for macOS, iOS, Windows, and Android apps were exposed. While OpenAI found no evidence that attackers used these certificates to sign malicious apps or push malware to users, the mere possibility poses a serious threat. Stolen signing materials could make a fake ChatGPT or Codex app appear authentic, bypassing normal security warnings. To minimize this risk, OpenAI rotated the certificates and re-signed its Mac apps, and Apple is blocking future notarization attempts tied to the older credentials, effectively phasing them out for existing installations.
Immediate Actions Mac Users Must Take Before the June 12 Deadline
If you use OpenAI’s Mac apps, you must install the latest versions before June 12. Older releases of ChatGPT Desktop, Codex App, Codex CLI, and Atlas that were signed with the now-retired certificates may stop functioning or lose update capability once Apple’s protections stop trusting them. Users should download updates only from official sources: OpenAI’s website, the Mac App Store where applicable, or trusted in-app update mechanisms. Avoid installers delivered via email, chat messages, ads, or third-party download sites, even if they appear to be OpenAI-branded. The key ChatGPT security update and related OpenAI Mac app updates ensure your software is signed with the new, safe certificates. Failing to update by the software vulnerability deadline could leave your apps blocked by macOS, or worse, make you more susceptible to convincing fake installers that exploit the exposed signing certificates.
How Supply Chain Attacks Work and Why This One Matters
This incident is a textbook example of supply chain attack security risks. Instead of attacking end users directly, threat actors compromised an open-source dependency—TanStack npm packages—used widely in modern web and app development. Because these packages are integrated into automated build and deployment pipelines, malicious code can spread silently to developer machines and internal systems. In OpenAI’s case, the malware focused on credential theft and gained limited access to internal repositories, exposing Mac app signing certificates even though customer-facing systems remained unaffected. The event underscores how vulnerable software supply chains have become as projects depend heavily on third-party libraries and package managers. For users, it is a reminder that keeping apps updated is not just about new features; it is a critical security practice that helps maintain trust in the software you run and minimizes the impact of upstream compromises.