{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/macos-applications/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS applications"],"_cs_severities":["high"],"_cs_tags":["supply-chain","credential-access","npm","pypi"],"_cs_type":"threat","_cs_vendors":["OpenAI"],"content_html":"\u003cp\u003eOn May 11, 2026, the open-source web application development stack TanStack was compromised, leading to a coordinated campaign that saw over 170 packages across NPM and PyPI namespaces being infected. The TeamPCP hacking group exploited weaknesses in the package publishing process to release 84 malicious artifacts across 42 packages, resulting in developer devices being infected with the Shai-Hulud worm. OpenAI was one of the affected organizations, with two employee devices being compromised, leading to the exfiltration of credentials and other secrets from internal source code repositories. Although the scope of the compromise was limited, the attackers gained access to several internal source code repositories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe TeamPCP group exploited vulnerabilities in the TanStack package publishing process.\u003c/li\u003e\n\u003cli\u003eMalicious artifacts were released across 42 packages, resulting in 84 malicious packages.\u003c/li\u003e\n\u003cli\u003eOver 170 packages across several high-profile NPM and PyPI namespaces were compromised.\u003c/li\u003e\n\u003cli\u003eDeveloper devices were infected with the Shai-Hulud worm.\u003c/li\u003e\n\u003cli\u003eTwo OpenAI employee devices were infected as part of the supply chain attack.\u003c/li\u003e\n\u003cli\u003eCredential material was exfiltrated from internal source code repositories.\u003c/li\u003e\n\u003cli\u003eAttackers gained access to code-signing certificates for iOS, macOS, Windows, and Android products.\u003c/li\u003e\n\u003cli\u003eOpenAI is revoking certificates and re-signing applications to mitigate the impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of two OpenAI employee devices resulted in the exfiltration of credential material, including code-signing certificates for iOS, macOS, Windows, and Android products. Although no customer data or intellectual property was affected, OpenAI is revoking the compromised certificates and requiring macOS users to update their applications by June 12, 2026, to prevent the potential distribution of fake applications. Failure to update macOS applications will result in the products ceasing to receive updates and potentially malfunctioning.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unauthorized use of code-signing certificates related to OpenAI products (macOS applications, iOS, macOS, Windows, Android products) on internal networks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting Shai-Hulud worm-related activity to identify potential infections within the environment.\u003c/li\u003e\n\u003cli\u003eReview notarization logs for software signed using previous OpenAI certificates to confirm no unauthorized modifications have occurred, as mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T10:37:19Z","date_published":"2026-05-15T10:37:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-openai-tanstack-supply-chain/","summary":"OpenAI was impacted by the TanStack supply chain attack, resulting in two employee devices being compromised and the exfiltration of credential material from internal source code repositories.","title":"OpenAI Compromised via TanStack Supply Chain Attack","url":"https://feed.craftedsignal.io/briefs/2026-05-openai-tanstack-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — MacOS Applications","version":"https://jsonfeed.org/version/1.1"}