Worm Mini Shai-Hulud Hits npm and Forces OpenAI to Re-sign Applications for Windows, macOS, iOS, and Android
A supply chain attack on the TanStack project release pipeline compromised 84 artefacts in 42 npm packages, impacting OpenAI, which confirmed the compromise of application signing keys for Windows, macOS, iOS, and Android, and initiated the re-release of all apps with new certificates.
Worm Mini Shai-Hulud Hits npm and Forces OpenAI to Re-sign Applications for Windows, macOS, iOS, and Android
A supply chain attack against the npm ecosystem compromised 84 artefacts published in 42 packages of the @tanstack project on 11 May. The incident, attributed to the TeamPCP group and dubbed Mini Shai-Hulud by researchers, reverberated the following week with OpenAI confirming that two corporate devices were affected and that the signing keys for its applications for Windows, macOS, iOS, and Android were among the compromised assets.
The mechanics of the attack directly touch on a blind spot in modern pipelines. According to TanStack’s own description, "our own CI pipeline stole its own publishing token for the attackers, at the exact moment of creation, through a cache that everyone in the chain implicitly trusted." The flow combined a Pwn Request technique in GitHub Actions, cache poisoning, and OIDC token extraction. The malicious packages were published through TanStack’s official pipeline, with a legitimate OIDC identity, after code controlled by the attacker hijacked the runner in the middle of the workflow. Just the @tanstack/react-router accounts for over 12.7 million weekly downloads.
OpenAI's Response
In an official statement, OpenAI reported having isolated the impacted systems, revoked user sessions, rotated credentials, and temporarily restricted code deployment flows. The company stated that it found no evidence of user data access, production system compromise, or software alteration. Nonetheless, the application signing keys were treated as burned: all apps are being re-signed and re-released with new certificates across the four affected platforms.
Not the First and Won't Be the Last
The TeamPCP group is experienced. StepSecurity attributes to the same actor the compromise of the Trivy scanner from Aqua Security in March 2026, and the npm package of Bitwarden CLI in April. The pattern is consistent: exploiting the implicit trust in the release pipelines of widely used open-source projects in corporate infrastructure.
For CISOs and platform teams, the episode reinforces an agenda that has been drawn since the SolarWinds attack and gained a new chapter in the original Shai-Hulud of 2025: package signatures must be validated against policies, reproducible builds are no longer a luxury, and OIDC credentials within CI runners are high-value targets. Reacting is too late; the task is to instrument the chain before the next episode.