OpenAI just confirmed it got breached. Not through a zero-day. Not through a nation-state operation targeting its AI models. Through an npm package.
That should bother you.
On May 11, 2026, a threat group called TeamPCP launched a coordinated attack now tracked as "Mini Shai-Hulud." The campaign compromised TanStack, Mistral AI, UiPath, and over 160 additional npm and PyPI packages simultaneously, allowing attackers to steal credentials, self-propagate through the npm ecosystem, and potentially wipe developer home directories via a persistent destructive daemon.
Two employee devices in OpenAI's corporate environment were impacted. The company observed unauthorized access and credential-focused exfiltration activity in a limited subset of internal source code repositories.
Then came the detail that does all the talking. OpenAI's signing keys for Windows, macOS, iOS, and Android were impacted. All applications are being re-signed and released with new certificates. macOS users must update before June 12, 2026, or their apps will stop functioning.
You don't rotate signing certificates over "limited credential material." You rotate them when an attacker was close enough to ship malware as you.
How Three Vulnerabilities Became One Catastrophe
This wasn't brute force. It was patience, precision, and three known weaknesses chained together in the right order.
The attacker created a fork of the TanStack/router repository, renamed it to evade fork-list searches, then opened a pull request that triggered a pull_request_target workflow. This workflow checked out and executed the attacker's fork code, which poisoned the GitHub Actions cache with a malicious pnpm store. When legitimate maintainer PRs were later merged to main, the release workflow restored the poisoned cache. Attacker-controlled binaries then extracted OIDC tokens directly from the GitHub Actions runner's process memory.
The attacker used those stolen tokens to publish malicious packages without ever touching an npm credential. The packages were not published by an attacker who stole credentials. They were published by TanStack's legitimate release pipeline, using its trusted OIDC identity, after attacker-controlled code hijacked the runner mid-workflow.
The result was something the security industry hadn't seen before. The compromised packages carried valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly attested malicious packages. SLSA provenance is the cryptographic certificate that is supposed to guarantee a package was built from a trusted source. The worm hijacked the legitimate build pipeline itself. Sigstore verified the process correctly. The code was still malicious.
The certificate was real. The verification passed. The package was compromised.
The attack affected 42 packages and 84 versions across the TanStack ecosystem alone, assigned CVE-2026-45321 with a CVSS score of 9.6 out of 10. TanStack's react-router pulls over 12 million weekly downloads. This wasn't a niche library. This was the foundation of thousands of production applications.
The Dead Man's Switch
The technical sophistication didn't stop at the initial compromise. The malware included a detail that reveals how much thought went into it.
The malware installed a dead-man's switch that used a shell script to periodically check if an npm token created by the malware had been revoked, polling the GitHub API every 60 seconds. The token carried the description "IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner." Should the developer revoke the token from their npm dashboard, the script triggered a destructive routine that executed "rm -rf ~/" on the infected machine, essentially turning it into wiper malware.
This is not the work of opportunists. This is engineered leverage. The attackers built a system where the act of defending yourself becomes the trigger for destroying your machine.
Stolen credentials were exfiltrated via three redundant channels: a typosquat domain, the decentralized Session messenger network via encrypted nodes, and GitHub API dead drops where stolen tokens created Dune-themed repositories. The Session network channel was new in this wave and significantly harder to disrupt than domain-based infrastructure.
Each wave of this campaign is more sophisticated than the last. TeamPCP is not improvising.
This Group Has Been Escalating for Months
TeamPCP compromised Aqua Security's Trivy scanner in March 2026, the Bitwarden CLI npm package in April 2026, and SAP npm packages in late April 2026. Each wave escalated.
The group was also behind an April attack on the widely used open-source Python package LiteLLM, which allowed them to breach several organizations including AI recruiting company Mercor. They used a stolen Amazon API key to breach the European Commission the same month.
The European Commission. Via a stolen key from a compromised open-source package.
On Wednesday, the hackers offered for sale stolen internal repositories and source code from Mistral AI. That data is now in the wild. It will be studied, sold, and used by people whose interests are not aligned with yours or Mistral's.
The pattern is consistent: identify trusted infrastructure, poison it at the source, extract credentials before anyone notices, then escalate. Wave four of this campaign is notable not for its scale but for what it achieved: publishing malicious packages that are indistinguishable from legitimate ones by provenance attestation, a property no prior supply chain attack had demonstrated.
OpenAI Was Prepared. It Still Got Hit.
Here is the detail that deserves more attention than it has received.
After a different supply chain attack in March launched by alleged North Korean hackers, OpenAI accelerated the deployment of specific security controls and technologies to reduce the impact of supply chain attacks. Their response included hardening of sensitive credential materials in their CI/CD pipeline, deployment of package manager configurations with controls like minimumReleaseAge, and additional software to validate the provenance of new packages.
They had just been through this. They had already hardened their systems. The two impacted employee devices did not have the updated configurations that would have prevented the download of the newly observed package containing malware.
Two laptops running slightly older configurations. That was the gap. And through that gap walked an attacker who reached OpenAI's signing keys.
The Bitcoin Parallel Nobody Is Talking About
Here is the uncomfortable truth at the center of this story: the most advanced AI companies in the world are running on software supply chains they cannot fully audit, trust, or secure.
OpenAI builds systems that millions of people use to make financial, medical, and strategic decisions. Its entire operation runs on layers of open-source dependencies maintained by volunteers, small teams, and contributors scattered across the world. One poisoned package in that chain can move through the entire system before anyone notices. Detection in this case was external — an independent researcher at StepSecurity identified the malicious activity publicly within 20 minutes of the publish. The ecosystem got lucky. A more careful attacker who avoided breaking tests could have published silently for hours longer.
Bitcoin does not have this problem. Not because Bitcoin is immune to attacks. It isn't. But because the rules are enforced by math and consensus, not by trusting that every developer in every CI/CD pipeline across every dependency tree did everything right. There is no npm install that ships malware into the Bitcoin network. There is no certificate rotation required when a signing key is compromised. The protocol either validates or it doesn't. The chain either extends or it doesn't.
A security researcher described the shift as one "from isolated package compromise to identity-driven propagation through trusted CI/CD infrastructure. Once attackers gain access to publishing workflows and pipeline identities, the software delivery process itself becomes the distribution mechanism. The challenge for defenders is that much of this activity can appear legitimate on the surface."
That is a precise description of a system built on trust at every layer. Trust the developer. Trust the maintainer. Trust the CI pipeline. Trust the certificate. Trust the provenance attestation. When one layer is compromised from the inside, all of it fails together — and the certificate still says valid.
Trustless systems were designed for exactly this reason. The alternative is what we just watched happen to OpenAI.
What Happens Next
The security teams will publish more postmortems. Pipelines will be hardened. New controls will be deployed. And TeamPCP, or the group that learns from their playbook, will find the next gap.
At the time of writing, this is an actively exploited supply chain attack. The cumulative download count across affected packages exceeds 518 million. Over 400 repositories were created using stolen credentials.
This wasn't a targeted attack on one company. It was a net cast across the entire modern software ecosystem, and it caught one of the most security-conscious organizations in the industry.
The question isn't whether this happens again. It's whether the systems you depend on are built to survive it when it does.
Bitcoin was designed to answer that question. Most of the software industry is still trying to figure out how to ask it.
Sources
- OpenAI — Our response to the TanStack npm supply chain attack
- TanStack Blog — Postmortem: TanStack npm supply-chain compromise
- Wiz — Mini Shai-Hulud Strikes Again
- The Hacker News — Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI
- Snyk — TanStack npm Packages Hit by Mini Shai-Hulud
- Orca Security — TanStack and 160+ npm/PyPI Packages Compromised
- The Record — OpenAI asks macOS users to update after TanStack attack
- BleepingComputer — OpenAI confirms security breach in TanStack supply chain attack
- SecurityWeek — TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack
- The Next Web — OpenAI says no user data was touched in the TanStack npm worm
BitBrainers. We check the facts so you don't have to.
