OpenAI Among the Companies Affected by TanStack Breach

AI companies faced fresh exposure to supply chain attacks in May 2026 when threat actors compromised popular software repositories used across the industry.

The Mini Shai-Hulud campaign targeted npm and PyPi ecosystems that underpin AI and software development infrastructure. One of the firms targeted by the latest breach is OpenAI, showing vulnerabilities in how AI companies manage development security.

GitHub Actions exploit enabled breach

The attack began on 11 May 2026 when threat hroup named TeamPCP published malicious packages to software repositories. TeamPCP is a financially motivated threat cluster responsible for previous supply chain attacks including Trivy and Checkmarx KICS incidents.

"The Wiz research team has been responding overnight to the latest in the many waves of TeamPCP activity," Rami McCarthy, Principal Security Researcher at Wiz, writes on LinkedIn.

“Attackers were able to exploit a GitHub actions vulnerability to publish malicious versions of popular TanStack npm packages. From there, we've seen additional attacks and community spread across @opensearch-project/opensearch, @uipath/, @mistralai/, guardrails-ai and other packages across both npm and PyPI.”

Rami, along with Amitai Cohen, the Attack Vector Intel Lead at Wiz and Benjamin Read, the Director of Strategic Threat Intelligence at Wiz, broke down the incident in a company blog.

According to Wiz, attackers exploited three vulnerabilities in GitHub Actions. The threat actor created a fork of TanStack repository and renamed it to evade detection through fork-list searches.

A pull request triggered the attacker's fork code, which poisoned the GitHub Actions cache with a malicious pnpm store.

Credential theft targets AI infrastructure

When legitimate pull requests merged with the main branch, the release process retrieved the poisoned cache. Attacker-controlled code extracted OpenID Connect tokens from GitHub Actions runner memory.

The stolen tokens enabled publication of malicious package versions, thereby, the attacker bypassed the use of npm login credentials entirely.

According to Wiz, the malicious packages contained two infection vectors. An entry pointed to a malicious commit which executed a payload and a 2.3MB hidden file router_init.js carried the credential stealer.

The payload targets CI/CD tokens, cloud credentials, Kubernetes service accounts, HashiCorp Vault and package registry tokens.

Stolen npm tokens then publish additional malicious packages across repositories where victims have write access, thereby propagating like a worm. 

OpenAI confirms employee systems compromised

OpenAI confirmed two employees in its corporate environment were impacted. The company observed activity consistent with malware behaviour in a limited subset of internal code repositories.

"Upon identification of the malicious activity, we worked quickly to investigate, contain and take steps to protect our systems," OpenAI says.

The AI company isolated impacted systems and identities, revoked user sessions and rotated credentials across affected repositories.

The company also temporarily restricted code deployment workflows and scrutinised user and credential behaviour.

"As part of our investigation, we have not observed evidence of impact to customer data or our intellectual property and our analysis has not identified misuse of impacted credentials or follow-on access by the threat actor," OpenAI says.

The company warned all Mac users to update OpenAI apps to latest versions. These include ChatGPT Desktop, Codex App, Codex CLI and Atlas.

Worm capabilities spread across ecosystem

According to Wiz, the malware functions as a self-propagating worm through the npm ecosystem. Stolen credentials enable automatic publication of malicious packages to additional repositories.

Interestingly, the malware checks if systems are configured for Russian language. It terminates without exfiltrating data when Russian language settings are detected.

TanStack confirmed that: "After a three-day full security sweep and hardening pass, we're issuing an official all-clear on TanStack repo and package security."

AI companies like most software dependent firms, rely on open source repositories for model development and deployment infrastructure. The breach could mean AI firms face exposure through software dependencies that extend beyond internal security controls.