OpenAI confirms two employee computers were affected by the TanStack supply chain attack; ChatGPT and Codex macOS users must update before 6/12

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯2059 words

On May 11, the hacker group TeamPCP launched a large-scale npm supply chain attack using TanStack as a stepping stone, affecting two OpenAI employee devices. The compromised assets included code signing certificates covering iOS, macOS, and Windows. macOS users must update their applications before June 12, 2026, or they will be unable to launch them. (Recap: OpenClaw "Crayfish" hit by double crisis! axios supply chain hides poisoning backdoor, MEDIA vulnerability affects 170,000 cases globally) (Background: Ledger warns "Don't interact with on-chain contracts": JavaScript package NPM hacked, billions of devices may be infected with malicious code) An open-source library that no one was paying attention to ended up exposing the world's largest AI company to risk. In the early morning of May 12, 2026 Taiwan time, the hacker group TeamPCP completed the attack in just six minutes: 42 npm packages belonging to the @tanstack namespace were poisoned, and 84 malicious versions were pushed to the npm registry. @tanstack/react-router has about 12 million weekly downloads, and the entire attack affected over 170 npm and PyPI packages, with cumulative downloads exceeding 518 million. The impact wasn't limited to developers — it reached the internal environments of AI companies including OpenAI, Mistral AI, and Guardrails AI. OpenAI's disclosure confirms that two employee devices within the company's environment were affected by this attack. Within the limited subset of code repositories accessible to these two employees, the investigation found activity consistent with malware behavior: unauthorized access and credential-targeted exfiltration operations. Fortunately, the confirmed scope of theft was relatively limited: only some credential material was successfully exfiltrated from these repositories; other code and information were unaffected. The investigation engaged a third-party digital forensics and incident response firm, which found no evidence that customer data or intellectual property was affected, nor did it identify any signs of credential abuse or persistent post-incident access by the attackers. However, the problem is that these code repositories happened to contain product code signing certificates (in plain terms, a legitimate seal proving to the operating system that this software was released by us), covering the three platforms of iOS, macOS, and Windows. This directly triggered a series of subsequent preventive measures. OpenAI is rotating code signing certificates for all affected platforms and re-signing and releasing all applications with new certificates. Windows and iOS users don't need to take any action. macOS users, however, must proactively update. The deadline is before June 12, 2026. Once the old certificate is fully revoked on this day, macOS's security protection mechanism will block applications signed with the old certificate from being downloaded or launched. Below are the last versions signed with the old certificate, which will not function normally after the cutoff date: - ChatGPT Desktop 1.2026.125 - Codex App 26.506.31421 - Codex CLI 0.130.0 - Atlas 1.2026.119.1 The core lesson from this incident, as OpenAI bluntly put it: attackers are increasingly targeting shared software dependencies and development tools, rather than any single company. Modern software is built on a deeply interconnected ecosystem of open-source libraries, package managers, and CI/CD infrastructure — a single upstream vulnerability can propagate widely and rapidly across organizations. How many dependencies does your company have that, like TanStack, "everyone uses but no one maintains"? No one can say for sure. TeamPCP's methods leave a record in security history for this incident: this is the first time someone has successfully published a malicious package with valid SLSA Build Level 3 provenance attestations. Let me explain what this means. SLSA (Supply-chain Levels for Software Artifacts) is currently the most widely recognized software supply chain security verification standard. Level 3 requires packages to be generated in a reproducible, documented build environment, with verifiable provenance attached. Simply put: this "security certification seal" was previously considered sufficient to rule out the possibility of malicious poisoning, but not this time. The attackers' approach was to exploit a combination of three vulnerabilities in GitHub Actions to poison the pnpm cache (pnpm is a widely used package management tool in the JavaScript ecosystem), then use an OIDC token (an authentication mechanism that doesn't require storing long-lived keys) to publish malicious packages directly under a legitimate identity without stealing npm account passwords. The entire process went through legitimate channels — the signatures were real, the provenance attestations were real, only the package contents were fake. After the malware was implanted, it would install a daemon called gh-token-monitor on developer machines, capable of triggering rm -rf ~/ (a command that deletes all files in the user's home directory), and the daemon would automatically stop after 24 hours, increasing forensic difficulty. According to Socket.dev's attack analysis report, both the scale and technical sophistication of this wave of attacks are rare. OpenAI had also previously accelerated the deployment of security controls after the axios incident, including hardening the protection of sensitive credentials in the CI/CD pipeline, and deploying package manager configurations with controls such as minimumReleaseAge. The logic behind the latter is to let newly published packages "wait a period of time before adoption," reducing the damage window of zero-day poisoning.

Data Status✓ Full text extractedRead Original (動區 BlockTempo)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-05-21

OpenAI Codex officially lands on mobile! ChatGPT App can directly write code and review code

2026-05-16

OpenAI Consolidates Product Lines! Greg Brockman Simultaneously Takes Over ChatGPT, Codex, and the Developer API

2026-05-15

OpenAI launches "ChatGPT Personal Finance" feature: Connects to real bank accounts to help you calculate expenses and plan mortgages

Similarity 170%關鍵字 chatgpt/openai同分類 zh

2026-05-15

Codex mobile operations go live: directly supervise AI remotely on ChatGPT, launch new tasks, and review output results

Similarity 170%關鍵字 codex/chatgpt同分類 zh