TeamPCP, Supply Chain Attack, Mini Shai-Hulud, OpenAI, TanStack, Code-Signing Certificates, Root of Trust
Source Material: OpenAI | Technology: macOS, iOS, Windows, npm, CI/CD pipelines | Targeted Industries: Artificial Intelligence, Software Development, Technology
Executive Summary
OpenAI confirmed a breach of their internal CI/CD pipelines stemming from the recent “Mini Shai-Hulud” supply chain compromise of the TanStack npm ecosystem. The threat actor, tracked as TeamPCP, leveraged the malicious open-source library to infiltrate OpenAI’s development environment. While OpenAI stated that no user data, production systems, or intellectual property were accessed, attackers successfully exfiltrated internal code-signing certificates for macOS, iOS, and Windows.
These certificates act as a cryptographic Root of Trust. Their theft allows attackers to sign malicious payloads that operating systems will recognize as legitimate OpenAI software. In response, OpenAI initiated a certificate revocation process and halted desktop application updates. OpenAI has reissued certificates across macOS, iOS, and Windows. Users of Windows and iOS applications do not need to take any manual action, as certificate rotation on these platforms is handled automatically. However, macOS users must update their applications by June 12, 2026, to transition to newly issued certificates before Apple fully invalidates the compromised ones.
Threat Overview and Strategic Impact
TeamPCP compromised two OpenAI corporate devices after employees installed the malicious @tanstack library. This initial foothold enabled the Mini Shai-Hulud malware to move laterally, bypassing perimeter defenses and accessing a subset of OpenAI’s internal source-code repositories. The malware harvested credentials, SSH keys, and CI/CD secrets for further propagation.
The primary strategic impact is the compromise of OpenAI’s Root of Trust. With the exfiltrated macOS, iOS, and Windows signing certificates, TeamPCP can sign malicious payloads, allowing malware to bypass standard OS-level security controls and appear as genuine OpenAI updates.
Although security researchers reportedly detected and removed the malicious TanStack packages within 20 minutes of their May 11 publication, the malware’s automated lateral movement still managed to infect internal environments and compromise the OpenAI signing certificates. As a result, new notarization requests using the previous certificates have been blocked.
Security Hardening and Recommendations
Organizations should implement the following measures to defend against the Mini Shai-Hulud campaign and handle the fallout from the compromised OpenAI certificates:
- Configure endpoint security and application control solutions to strictly validate certificate revocation lists (CRLs). Ensure systems are actively checking for expired or recently revoked OpenAI code-signing certificates.
- Force updates for all deployed OpenAI desktop applications (specifically macOS) to the latest versions signed with new certificates.
- Audit developer workstations and CI/CD environments for any presence or historical execution of the compromised TanStack npm packages.
- If internal systems interact with the malicious libraries, immediately isolate the affected devices. Revoke active sessions and rotate all potentially exposed credentials, SSH keys, and API tokens.
Detection Strategy
Detections should focus on anomalous executions and the presence of revoked or suspicious code-signing certificates. Defenders should monitor for processes signed with the compromised OpenAI certificates that execute from non-standard directories or attempt unexpected network connections. File integrity monitoring and endpoint detection and response (EDR) solutions should be used to track the deployment of unauthorized binaries, while network monitoring should flag outbound command-and-control (C2) traffic associated with the Mini Shai-Hulud worm.
How Deepwatch Protects Our Customers
Deepwatch’s Adversary Tactics and Intelligence (ATI) team is tracking the TeamPCP campaign and integrating identified Indicators of Compromise (IOCs) into our Threat Intelligence Platform. Our Security Operations Center (SOC) utilizes this intelligence to detect suspicious activity in customer environments. Our Threat Hunters periodically conduct proactive sweeps to hunt for anomalous or suspicious activity.
Relevant Detections
- dw_inta_00010: Threat Intel – IOC Hash Match
- dw_inta_00012: Threat Intel – Domain Match
- dw_inta_00007: HTTP POST Action to Threat Domain
- dw_proa_00021: Suspected Data Exfiltration Command Parameters
- dw_idsa_00006: Outbound C2 Traffic
- dw_idsa_00007: Outbound Exfiltration Traffic
Threat Hunting Leads
- Hunt for the execution of binaries or applications on macOS, iOS, or Windows environments that are signed with the revoked OpenAI certificates but do not match known, legitimate file hashes or expected installation paths.
- Search for anomalous internal network traffic originating from developer workstations that have recently updated npm packages, which may indicate potential lateral movement or credential exfiltration.
- Review GitHub Actions or other CI/CD pipeline logs for unexpected modifications to build scripts or unauthorized access to secrets and repository settings.
Technical Artifacts
The primary artifact of concern in this phase of the campaign is the stolen code-signing certificates. The attackers successfully exfiltrated these private certificates from OpenAI’s internal repositories, enabling them to bypass OS-level trust safeguards.
Secondary artifacts relate to the initial vector: the malicious TanStack npm packages. Upon execution, the Mini Shai-Hulud payload sweeps developer environments to exfiltrate highly privileged tokens, API keys, and certificates to attacker-controlled infrastructure.
Please review CA-A-26-005 and CA-A-26-005 Updates 1-4 for IOCs related to earlier campaign activity.
Threat Object Mapping
Intrusion Set:
- TeamPCP
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Supply Chain Compromise | T1195.002 | Attackers compromised TanStack npm packages to gain initial access to developer environments. |
| Credential Access | Credentials In Files | T1552.001 | The payload harvested private code-signing certificates from internal source-code repositories. |
| Defense Evasion | Subvert Trust Controls: Code Signing | T1553.002 | Attackers stole code-signing certificates to sign malicious payloads, making them appear as trusted OpenAI software. |
Vulnerabilities:
- N/A (Supply Chain Compromise)
Malware/Tool:
- Mini Shai-Hulud Worm
Share