A supply chain attack that compromised TanStack — one of the most widely used open-source JavaScript libraries in the world — reached inside OpenAI’s corporate environment in May 2026, with the company confirming that two employees had their systems affected by credential-stealing malware. The incident is a sharp reminder that even the most security-conscious AI firms can be exposed through the open-source dependencies that power their everyday development work.
The campaign, dubbed Mini Shai-Hulud by researchers, was not a targeted strike at OpenAI specifically. It was a sophisticated, broad-spectrum operation that swept across the npm and PyPI ecosystems — the two largest software package registries underpinning modern AI and software development — and OpenAI happened to be in its path.
What Happened: A GitHub Actions Exploit at the Root
According to researchers at cloud security firm Wiz, the attack began on 11 May 2026, when a financially motivated threat group known as TeamPCP — previously linked to supply chain incidents involving security tools Trivy and Checkmarx KICS — published malicious packages to software repositories.
The mechanics of the breach were notably clever. Attackers created a fork of the TanStack repository and renamed it to evade detection through standard fork-list searches. They then submitted a pull request that, when triggered, poisoned the GitHub Actions cache with a malicious pnpm store. When legitimate pull requests were subsequently merged into the main branch, the release process retrieved this poisoned cache.
From there, attacker-controlled code extracted OpenID Connect (OIDC) tokens directly from GitHub Actions runner memory. Crucially, this meant the attackers bypassed the need for npm login credentials entirely — they had effectively hijacked the publication pipeline itself.
Rami McCarthy, Principal Security Researcher at Wiz, described the speed and scope of what followed: “Attackers were able to exploit a GitHub Actions vulnerability to publish malicious versions of popular TanStack npm packages. From there, we’ve seen additional attacks and community spread across @opensearch-project/opensearch, @uipath/, @mistralai/, guardrails-ai and other packages across both npm and PyPI.”
The malicious packages contained two infection vectors. One entry pointed to a malicious commit that executed a payload. The other was a 2.3MB hidden file, router_init.js, which carried the credential stealer itself. The payload was designed to target CI/CD tokens, cloud credentials, Kubernetes service accounts, HashiCorp Vault tokens, and package registry credentials. Stolen npm tokens were then used to publish further malicious packages to any repository where the victim had write access — functioning, in Wiz’s description, like a self-propagating worm moving through the ecosystem.
One forensic detail stood out: the malware checks whether the infected system is configured for the Russian language, and terminates itself without exfiltrating data if that condition is met — a telltale sign of the threat actor’s geographic boundaries of intent.
OpenAI’s Response: Contained, but Not Without Cost
OpenAI confirmed that two employees in its corporate environment were affected, with activity consistent with malware behaviour observed across a limited subset of internal code repositories. The company moved quickly: it isolated impacted systems and identities, revoked user sessions, rotated credentials across affected repositories, and temporarily restricted code deployment workflows while conducting a broader investigation.
Critically, OpenAI stated it found no evidence of impact to customer data or intellectual property, and no sign of follow-on access by the threat actor using the compromised credentials. The company also issued a public advisory urging all Mac users to update their OpenAI applications — including ChatGPT Desktop, Codex App, Codex CLI, and Atlas — to the latest available versions.
TanStack, for its part, conducted a full three-day security sweep and hardening pass before issuing what it called an “official all-clear” on its repository and package security. The speed of that response reflects how seriously the open-source community has learned to treat these events, even when the attack vector was not of the maintainers’ own making.
Why It Matters: Supply Chain Attack Risk Is an AI Industry Problem
The Mini Shai-Hulud campaign illustrates a structural vulnerability that affects every company building on top of the modern software stack — but AI companies face it with particular acuity. The risks of generative AI are often discussed in terms of model behaviour, hallucination, or data privacy. Increasingly, however, the attack surface extends into the infrastructure layer: the libraries, pipelines, and registries that AI teams use to build, test, and deploy their systems.
AI development pipelines are especially dependency-heavy. Model training and evaluation workflows draw on dozens of open-source packages from npm and PyPI. CI/CD automation — through platforms like GitHub Actions — is the connective tissue of modern ML engineering. When that connective tissue is compromised, the blast radius can extend far beyond a single organisation.
The worm-like propagation mechanic used in this campaign is particularly significant. By stealing npm publish tokens and using them to infect repositories where victims have write access, TeamPCP turned the trust relationships of the open-source ecosystem into a transmission mechanism. A developer at one firm installs a compromised package; their credentials are stolen; those credentials publish malicious versions of packages they maintain; the malware spreads to their dependencies’ users. This is not a hypothetical threat model — it is what happened in May 2026, across multiple major ecosystems simultaneously.
The GitHub Actions exploitation at the core of this attack also deserves scrutiny. CI/CD pipelines are often granted elevated permissions — access to cloud environments, secrets managers, and package registries — because they need them to do their jobs. That makes them high-value targets. The specific technique of poisoning the pnpm cache via a malicious fork and pull request is a vector that many teams running open-source projects will not have specifically hardened against. This is consistent with broader patterns that security researchers have flagged about GitHub’s own security advisories in recent years: Actions workflows are powerful and widely used, but their security posture varies enormously across projects.
For AI companies specifically, the implications go beyond embarrassment. Models, training data pipelines, inference infrastructure, and internal tooling all flow through development environments. Credential theft at that layer — even if not immediately monetised — opens doors. The fact that OpenAI found no evidence of follow-on access is reassuring, but it underscores how narrow the margin can be.
It is also worth noting the breadth of targets in this single campaign: OpenSearch, UiPath, Mistral AI, Guardrails AI. These are not peripheral projects. They represent core infrastructure for enterprise search, robotic process automation, frontier AI model deployment, and AI safety tooling respectively. A supply chain attack that can simultaneously reach all of them in a single wave is a categorically different threat from a one-off compromise.
This sits within a longer pattern. As AI systems grow more capable, the software infrastructure that builds and maintains them becomes a more attractive target for financially motivated and state-affiliated threat actors alike. The value of stealing cloud credentials, CI/CD tokens, or model registry access from a frontier AI lab is not trivial.
What Happens Next: Hardening the Pipeline
In the immediate term, the Mini Shai-Hulud campaign will almost certainly accelerate conversations inside AI companies about their dependency security practices. A few developments seem plausible.
First, expect heightened scrutiny of GitHub Actions configurations, particularly around cache poisoning vectors and OIDC token handling. Wiz’s detailed technical disclosure gives security teams a concrete checklist to work against, and the open-source community will likely produce hardening guides in the coming weeks.
Second, npm and PyPI may face renewed pressure to implement stronger verification controls around package publication, particularly for packages that achieve a certain threshold of weekly downloads. TanStack’s packages, for instance, are used by millions of developers. The asymmetry between the ease of publishing and the scale of potential impact remains a structural problem that neither registry has fully solved.
Third, TeamPCP’s track record — Trivy, Checkmarx KICS, and now Mini Shai-Hulud — suggests this group is not going away. The group’s operational tempo, its apparent financial motivation, and its demonstrated ability to evolve its techniques across campaigns indicates a persistent threat that security teams at AI and cloud companies will need to monitor actively. Wiz’s threat intelligence team, along with counterparts at firms like CrowdStrike and others tracking financially motivated supply chain actors, will be central to that monitoring effort.
For developers and security engineers working in AI infrastructure, the practical upshot is uncomfortable but clear: the attack surface extends to every package in your dependency tree, and every CI/CD workflow that has publish rights to a registry. Managing the complexity of modern data and ML infrastructure is hard enough without adversaries actively probing the weakest links in the supply chain — but that is, increasingly, the environment teams are working in.
Key Takeaways
- A supply chain attack called Mini Shai-Hulud compromised TanStack and multiple other npm and PyPI packages in May 2026, affecting OpenAI and other major technology firms including Mistral AI and UiPath.
- The attack exploited three GitHub Actions vulnerabilities to poison a pnpm cache, enabling attackers to steal OIDC tokens and publish malicious packages without needing npm login credentials.
- OpenAI confirmed two employee systems were compromised but found no evidence of customer data loss, intellectual property theft, or follow-on access by the threat actor.
- The malware spread like a worm by using stolen npm publish tokens to infect additional repositories, illustrating how trust relationships within the open-source ecosystem can be weaponised.
- AI companies face particular exposure to supply chain attacks because their development pipelines are deeply reliant on open-source packages and CI/CD automation with elevated cloud permissions.
