What Happened: Tanstack, npm and the OpenAI Supply Chain Attack
OpenAI has disclosed a Mac supply chain attack that began not in its own code, but in a popular web development dependency. An attacker slipped malicious versions into 42 Tanstack npm packages, which are widely used JavaScript components fetched via npm install. Two OpenAI employee devices in a corporate environment installed these tampered packages, triggering malware linked to the Mini Shai-Hulud campaign. The payload focused on stealing developer credentials, including GitHub tokens and API keys, and led to unauthorized access to a limited subset of internal source code repositories. OpenAI reports no evidence that customer data, production systems, or shipped software were altered. However, some of those internal repositories contained private code-signing certificates for OpenAI apps, creating a serious npm security vulnerability with implications far beyond web projects and directly into desktop apps running on macOS.
Why Exposed Signing Certificates Matter for macOS Security
The most concerning outcome of the attack is that code-signing certificates for OpenAI’s iOS, Windows and macOS apps were exposed. These certificates allow operating systems to verify that an application truly comes from OpenAI. If attackers had copied them, they could sign malicious software so it appears to be a trustworthy OpenAI app, potentially slipping past macOS malware threat protections and user scrutiny. OpenAI emphasizes that it has found no evidence of malicious software being signed with its certificates so far. Even so, the company is rotating all affected signing keys as a precaution and has asked platform providers to halt new notarization under the old certificates. This is why the incident is less about existing apps suddenly becoming unsafe and more about preventing fake, look‑alike apps from being mistaken for legitimate OpenAI software in the future.
Critical Deadlines: The OpenAI App Update Mac Users Must Install
To close the window of risk, OpenAI will fully revoke the old macOS signing certificates on June 12. After that date, macOS security protections may block new downloads and first‑time launches of apps signed with the previous certificate, and new notarization requests using those certificates are already being rejected. Mac users therefore need to perform an OpenAI app update before the deadline. Required minimum versions include ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. Updates should be installed via in‑app updaters or official OpenAI download links only. OpenAI stresses that Windows and iOS users do not need special action beyond normal updates, but macOS users who delay could face both security exposure and usability issues once certificate revocation is fully enforced.
How Mac Users Can Verify App Authenticity and Stay Protected
For macOS users, the immediate priority is to ensure every OpenAI app on your system comes from an authentic source. Avoid installers delivered through unsolicited emails, chat messages, ads, or file‑sharing links, especially those claiming to be ChatGPT, Codex, or Atlas. Instead, rely on OpenAI’s official site or built‑in update mechanisms. Enable automatic updates where possible so you receive new, properly signed builds quickly if certificates change again. When installing any developer tools or AI apps, confirm the publisher name and check that macOS Gatekeeper and notarization checks are not bypassed. If you installed any OpenAI app from a third‑party download site in the past, replace it with a fresh copy from official channels. These basic hygiene steps significantly reduce your exposure to future Mac supply chain attack attempts that masquerade as legitimate AI or coding utilities.
The Bigger Picture: Growing Supply Chain Threats to Developers and macOS
This incident underlines a broader pattern: attackers are increasingly targeting open‑source libraries and developer tooling to reach downstream users. The Tanstack compromise, tied to the TeamPCP group, involved over 80 malicious versions across dozens of npm packages and was designed to steal cloud and developer credentials at scale. Because npm dependencies are deeply woven into modern software, a single poisoned package can cascade into many products, including desktop applications traditionally seen as safer. For macOS users, it shows that a macOS malware threat doesn’t always start with a suspicious download; it can originate from a compromised build pipeline or library used by trusted vendors. For developers, it reinforces the need for tighter dependency auditing, stricter npm security vulnerability monitoring and robust credential hygiene. For end users, it’s another reminder that timely updates and cautious app sourcing are now essential parts of everyday security.