OpenAI Pulls All Its Code-Signing Certificates After TanStack npm Attack Hit Two Employee Macs

OpenAI is in the middle of a full code-signing reset across macOS, Windows, iOS and Android after the TanStack npm supply chain attack reached two of its employee laptops. The company has revoked every certificate held in the affected repositories, re-signed its desktop and mobile apps, and given macOS users a hard cutoff of June 12, 2026 to update — after which Gatekeeper will refuse to launch ChatGPT, Codex, Codex-cli and Atlas builds signed with the old keys.

The intrusion traces back to May 11, 2026, when a threat group tracked as TeamPCP exploited a weakness in npm's TanStack publishing pipeline and pushed 84 malicious artifacts across 42 packages. The payload, nicknamed Mini Shai-Hulud after a similar 2025 incident, is a credential harvester that scrapes developer machines for cloud tokens, signing material and source-control secrets. Two OpenAI engineers happened to install the poisoned versions before the publishing keys were locked, and the malware reached repositories that held code-signing assets for all four of OpenAI's client platforms.

OpenAI disclosed the incident on May 15 and says the damage was narrow: "only limited credential material was successfully exfiltrated from these code repositories, and no other information or code was impacted." No customer data and no model weights are believed to have moved. Even so, the response was aggressive — revoking every potentially exposed certificate, invalidating user sessions, freezing the deploy pipeline, and coordinating with Apple, Microsoft and Google so that the stolen signing material cannot be used to push trojanised OpenAI binaries through their stores.

This is the second time in two months that OpenAI has had to rotate its macOS signing certificate. In April it pulled and reissued the same key after the Axios npm compromise hit a GitHub Actions workflow that handled macOS notarisation. Security researchers at Socket and Rescana have used both incidents to argue that frontier AI labs are now a high-value target for npm-style supply chain campaigns precisely because their engineering stacks are so dependency-heavy.

What customers actually need to do

For end users the practical impact is simple but firm. Anyone running ChatGPT Desktop, Codex, Codex-cli or Atlas on macOS needs to install the freshly re-signed builds from openai.com or the App Store before June 12, 2026. Once OpenAI completes the staged revocation on that date, macOS will block launches of the old binaries with a generic "this app cannot be opened" prompt. Windows, iOS and Android users will be migrated automatically through their respective stores, but enterprise admins managing pinned versions should plan a forced update window in the next three weeks.

Why two incidents in two months matters

The bigger story is the operational pattern. OpenAI says the affected employee devices were part of a phased security transition that hadn't yet reached them — meaning newer device controls would likely have stopped the exfiltration. That is a useful detail for other AI labs: the protective gap is not in the npm registry, it is in how quickly developer endpoints get isolated from production signing material. With Anthropic, xAI and Mistral all shipping their own desktop and CLI clients now, expect every frontier lab to be running a quiet review of who, exactly, can touch a signing key from a laptop.