Behind the meter on the latest npm supply-chain hit: a malware strain called Mini Shai-Hulud rode legitimate publishing credentials into 84 tainted releases across 42 packages, including @tanstack/react-router — a router pulling 12 million weekly downloads. Two engineering laptops inside OpenAI ran npm install before the policy fence caught up. That's the whole story in one sentence, and it's also why the rest of this matters.
OpenAI says no production systems, customer data, or model weights were touched. The forensic firm it brought in confirmed the blast radius stopped at two endpoints. But "stopped at two endpoints" still means the attackers walked off with code-signing certificates for the macOS builds of ChatGPT Desktop, Codex, and Atlas. Anyone shipping a Mac app understands what that sentence costs: certificates are revoked, Apple notarization for the old chain is dead, and every Mac user has a hard deadline of June 12, 2026 to update or watch Gatekeeper refuse the binary.
How the payload actually moves
Mini Shai-Hulud is a worm built for the trust graph of package managers. Once a maintainer's machine runs the poisoned install script, the malware harvests anything that looks like an access token — GitHub PATs, AWS keys, SSH private keys, npm tokens — then attempts to republish itself into other packages the victim owns. The propagation is autonomous. The novel piece is a dead-man's-switch daemon: revoke the stolen GitHub token and the daemon fires rm -rf $HOME as a parting shot. That's not opportunistic theft; that's a deliberate cost imposed on incident response.
A StepSecurity researcher flagged the malicious versions roughly 20 minutes after publication. Twenty minutes is fast. It is also long enough for a CI pipeline running on every push to pull the bad version into hundreds of environments. The blast list already includes Mistral AI, UiPath (NYSE: PATH), OpenSearch, and Guardrails AI — meaning AI-native shops are disproportionately exposed because their dependency trees are deep, fast-moving, and full of typescript tooling like TanStack.
Where the existing controls cracked
OpenAI had a hardened npm install policy after the Axios incident — registry pinning, allowlists, the usual hardening you write down after the first scare. The two compromised laptops simply hadn't received the rollout. Configuration drift between fleet policy and the actual endpoint is the real lesson, and it's the lesson nobody wants to write a postmortem about, because every org has it.
What this changes for builders
Treat your package-lock.json as a security artifact, not a build artifact. Pin by integrity hash, not version. Move code-signing keys out of any laptop that runs npm install — hardware-backed signing in CI is no longer optional for anyone shipping a desktop binary. And run a fleet-wide check that your npm install controls actually landed on every machine, not just the ones that responded to MDM last week. The next worm is being written against the assumption that you didn't.