OpenAI Hit by TanStack Supply Chain Attack
Summary
OpenAI disclosed that two employee devices were infected during a supply chain attack on TanStack, a web development framework, which allowed attackers to steal credential material from internal source code repositories. The stolen credentials gave attackers access to code-signing certificates (digital keys used to verify that software is authentic) for OpenAI's applications on iOS, macOS, Windows, and Android. OpenAI confirmed that no customer data or intellectual property was compromised, but took steps to prevent further risk.
Solution / Mitigation
OpenAI rotated credentials across all affected repositories, revoked user sessions, temporarily restricted code-deployment workflows, revoked the compromised code-signing certificates, and re-signed all applications with new certificates. The company also coordinated with platform providers to stop new notarizations (a verification process that confirms software is safe) and prevent misuse of the stolen certificates. macOS users must update their OpenAI apps to the latest versions by June 12, 2026, after which date the old apps will no longer receive updates.
Classification
Affected Vendors
Related Issues
Original source: https://www.securityweek.com/openai-hit-by-tanstack-supply-chain-attack/
First tracked: May 15, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 92%