OpenAI Forces macOS App Updates After TanStack npm Attack
An npm supply-chain raid breached two OpenAI laptops. Every Mac running ChatGPT, Codex or Atlas needs a fresh build before signing certificates expire on 12 June.
The News
OpenAI has asked every macOS user of its ChatGPT, Codex and Atlas apps to install a fresh build before 12 June 2026, after a supply-chain raid on the npm ecosystem briefly reached the company's own laptops. The lab confirmed the breach on 15 May (openai.com).
Two corporate employee machines were compromised after running poisoned npm packages from a campaign now called Mini Shai-Hulud. The intruders pulled "limited credential material" from internal source repositories, but OpenAI says no production systems, customer data or model weights were touched. Affected systems were isolated, sessions revoked and repository credentials rotated.
The harder part is the code-signing keys. OpenAI is revoking and reissuing the certificates used to sign ChatGPT Desktop, Codex App, Codex CLI and Atlas for macOS, alongside its iOS and Windows certificates. Macs that have not picked up the new builds by 12 June will refuse to launch the apps. Windows and iOS users do not need to act.
The campaign itself, traced to a group calling itself TeamPCP, began on 12 May and spread through compromised npm and PyPI accounts at TanStack, UiPath, Mistral AI, OpenSearch and Guardrails AI. The trojanised packages dropped an obfuscated router_init.js payload that hunted for cloud, crypto, AI and CI credentials and shipped them to filev2.getsession[.]org over the Session Protocol, a routing choice researchers tracking the campaign say was deliberately picked to dodge conventional monitoring.
Why It Matters
This is OpenAI's second emergency certificate rotation in two months. An April incident traced to a compromised GitHub Actions workflow forced an almost identical macOS update cycle. Two back-to-back key changes in eight weeks is the kind of signal regulators and large enterprise buyers do not ignore.
The deeper story is that the npm registry has become the soft underbelly of modern software. The original Shai-Hulud worm in September 2025 burnt through hundreds of packages and harvested thousands of cloud secrets. The Mini variant is narrower but slicker: it slips into a popular dependency and rides the next npm install straight into every downstream build. The pattern echoes SolarWinds in 2020, except the cadence is now weekly rather than yearly, and the lever is open-source rather than enterprise software.
Indian Angle
Indian engineering teams are unusually exposed. TanStack's Query and Router libraries are widely embedded in the country's React and Next.js stack, and a compromised post-install script on a Bengaluru developer's laptop would have travelled the same path it did at OpenAI: into the secret store, then out over a Session relay.
The regulatory clock is tight. CERT-In's April 2022 directions require Indian companies to report a cyber incident within six hours of noticing it. OpenAI took three days. An Indian fintech repeating that timeline would be in breach, and the Reserve Bank's licence conditions for payment aggregators include explicit supply-chain clauses. Most mid-sized Indian SaaS firms still do not keep a signed software bill of materials.
There is a second angle for India's homegrown AI builders. Sarvam, Krutrim and JioBrain ship models and wrappers through signed binaries or pip wheels. A certificate revocation event on the scale OpenAI is now running would idle their installed base overnight. MeitY's draft Digital India Act has hinted at mandatory SBOM rules for "significant" AI deployers; this incident will be cited when that draft moves to gazette.
FAQ
When do macOS users have to update?
The new certificates are live now and the old ones will be revoked on 12 June 2026. After that date, macOS will refuse to launch older builds of ChatGPT Desktop, Codex App, Codex CLI and Atlas. Updates arrive via the App Store and OpenAI's direct download channels.
Are Windows or iOS users affected?
OpenAI has reissued certificates across all three platforms, but only macOS builds face a hard cut-off on 12 June. Windows and iOS users will receive the new builds through normal update channels with no enforced deadline.
How does this compare with the original Shai-Hulud worm?
The September 2025 Shai-Hulud campaign was wider, hitting hundreds of npm packages and thousands of cloud secrets. Mini Shai-Hulud is narrower, focusing on high-prestige maintainers, but its credential-theft toolkit is more refined.
What should Indian engineering leaders do this week?
Pin npm and pip versions to known-good shas, run npm audit signatures, rotate any developer-laptop credentials that touched the affected packages between 10 and 14 May, and stress-test whether your incident-response policy can hit CERT-In's six-hour clock.
This story was reported by OpenAI. Read the full original coverage at OpenAI.