Cyber Incident Victim: OpenAI
Date:
May 2024
Location:
United States of America
Summary
OpenAI disclosed that a supply chain attack targeting the TanStack development stack led to the infection of two employee devices and the exfiltration of limited credential material from internal source code repositories they could access. The attackers, linked to the TeamPCP group, published malicious packages that deployed the Shai‑Hulud worm, granting access to repositories containing code‑signing certificates for iOS, macOS, Windows and Android products. The company rotated credentials, revoked sessions, restricted deployment workflows, and revoked the compromised certificates, re‑signing its applications to prevent potential abuse. It confirmed no customer data, intellectual property or other code was affected, and found no evidence of unauthorized software signing or modifications to existing installations. The breach occurred while the company was transitioning to hardened configurations following an earlier Axios supply chain incident, leaving the two devices temporarily unprotected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 11 2024 the TeamPCP hacking group exploited weaknesses in the package publishing process of the TanStack open‑source web development stack, releasing 84 malicious artifacts across 42 packages. This action was part of a broader coordinated campaign that compromised over 170 packages in several high‑profile NPM and PyPI namespaces on the same day and infected developer devices with the Shai‑Hulud worm. OpenAI was identified as a downstream victim when two of its employee devices became infected, allowing the attackers to exfiltrate credential material and other secrets from those machines. The compromised credentials granted the threat actors access to several internal source code repositories that the two employees were authorized to use.
OpenAI confirmed that only limited credential material was successfully extracted from the accessed repositories and that no other information or code was altered or stolen. In response, the company rotated credentials across all affected repositories, revoked user sessions associated with the compromised devices, and temporarily restricted code‑deployment workflows to prevent further exposure. It also revoked the code‑signing certificates for iOS, macOS, Windows, and Android applications that were stored in the compromised repositories and began re‑signing all software with new certificates. OpenAI announced that macOS users must update their OpenAI applications by June 12 2026 to continue receiving updates, noting that after that date the apps might cease to function properly if not updated. The company is working with platform providers to halt new notarizations using the stolen certificates and to prevent their malicious use, and it has reviewed all prior notarizations of software signed with the old certificates to verify that no unexpected software signing occurred and that published software remained unmodified; no evidence of compromise or risk to existing installations was found.
The incident occurred while OpenAI was in the midst of transitioning to hardened configurations and updated credential management practices, a process that had been initiated after the Axios supply chain attack at the end of March 2024, which had previously affected certificate and notarization material used to sign its macOS applications. Because the hardening rollout was being implemented in phases, the two employee devices had not yet received the new configurations that would have blocked the malicious package downloads. OpenAI emphasized that no customer data or intellectual property was impacted by the breach and that its response actions were aimed at containing the threat and restoring the integrity of its software signing infrastructure.