What Happened: Tanstack, npm, and the OpenAI Supply Chain Attack
OpenAI has confirmed that several of its Mac apps, including ChatGPT, Codex, and Atlas, were indirectly exposed in a software supply chain attack involving Tanstack, a widely used open-source library distributed via npm. An attacker published 84 malicious versions across 42 Tanstack npm packages, some of which receive millions of weekly downloads. Two OpenAI employee devices with corporate access installed these compromised packages. The malware, linked to the Mini Shai-Hulud campaign and associated with TeamPCP, was designed to steal developer credentials such as GitHub tokens, API keys, and cloud login details. While OpenAI’s investigation found no evidence that customer data, production systems, or app binaries were altered, the incident did allow limited access to internal source code repositories. Crucially, these repositories contained private code-signing certificates used to prove that OpenAI Mac apps are legitimate and trustworthy software.
Why This Matters: The Risk from Stolen Signing Certificates
The core danger is not that existing OpenAI Mac apps are suddenly malicious, but that attackers briefly gained access to code-signing certificates used for OpenAI’s iOS, macOS, and Windows products. These certificates act like digital passports, telling your operating system that an app is genuine and safe to run. If misused, they could allow a fake app to look like an authentic OpenAI product, bypassing macOS security checks and notarization. OpenAI says it has seen no evidence that any malware has been signed with its certificates, and it rapidly isolated the affected devices and closed off the malware’s access. However, because the certificates were in the impacted repositories, OpenAI is rotating and revoking them. This precaution means previously signed Mac apps will eventually be blocked unless users move to the newly signed, updated versions.
Urgent Action for Mac Users: Update Before June 12
Mac users must install updated versions of OpenAI’s apps before June 12, when the old signing certificates will be fully revoked and macOS will begin blocking new downloads and first launches of older builds. The required versions are: ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1. You should update directly through the in-app updater or download fresh installers from OpenAI’s official website or trusted app stores only. Do not click on installers or update prompts delivered via email, ads, messages, file-sharing links, or third-party download sites, even if they appear to come from “OpenAI,” “ChatGPT,” or “Codex.” Windows and iOS users do not need to take special action beyond standard updates, but Mac users who delay may find their existing apps blocked by macOS security protections after the deadline.
Understanding Supply Chain Attacks and npm Vulnerabilities
This incident is a textbook example of a software supply chain attack: instead of attacking OpenAI’s apps directly, attackers compromised a dependency in the development stack—in this case, Tanstack npm packages. Because npm packages are reused across countless projects, a single malicious update can silently reach many organizations. The malicious Tanstack versions executed during npm install, allowing the malware to run on developer machines and exfiltrate credentials without obvious user interaction. Tanstack has warned that any host installing affected versions on 2026-05-11 must be treated as potentially compromised. For OpenAI, this meant developer devices became a stepping stone to internal repositories. The episode underlines how npm vulnerabilities and third-party libraries can become high-impact attack vectors, even when production systems and user data remain untouched, and why organizations must continuously vet and monitor their open-source dependencies.
How to Protect Your Mac and Future-Proof Your Security
To protect your Mac now, first update all OpenAI Mac apps to the specified versions using only official channels. Next, remove any older installers you may have saved and avoid sideloading apps from untrusted websites or shared links. Be skeptical of unexpected prompts to reinstall or “fix” ChatGPT, Codex, or Atlas, especially if they arrive via email or messaging apps. For developers, review npm install logs around 2026-05-11 and treat any system that may have pulled the malicious Tanstack packages as suspect: rotate SSH keys, API tokens, and cloud credentials used from those machines. Longer term, this incident highlights the need for dependency auditing, lockfiles, and automated alerts for suspicious package updates. Monitoring third-party dependencies, especially popular npm libraries, is no longer optional—it’s a core security control against future supply chain attacks.