The story everyone is reading says: OpenAI got brushed by a supply chain attack, no user data exposed, move along. The story underneath the wire is more interesting. Two engineering laptops at one of the most security-conscious companies on the planet were running an outdated install configuration when 84 poisoned versions of TanStack packages shipped to npm. The package those laptops pulled in, @tanstack/react-router, gets downloaded over 12 million times a week. The blast radius wasn't OpenAI. The blast radius was the registry.
The malware, dubbed Mini Shai-Hulud, behaves more like a worm than a traditional credential stealer. Once a developer or CI runner installs the bad version, it scrapes GitHub tokens, cloud API keys, and SSH material from the local environment, then attempts to republish itself into other npm packages the victim maintains. The attacker doesn't have to phish anyone after the first install. The maintainer's own publish keys do the propagation. That's why a single compromise of TanStack's signing keys spawned 84 malicious package versions across 42 packages before npm pulled them.
Behind the meter, this is a CI/CD trust problem dressed up as a package problem. The build pipeline that publishes @tanstack/react-router is the same trusted surface that every downstream npm install implicitly approves. When the publish key gets popped, the lockfile gives you no warning, the integrity hash matches, and a postinstall script runs with full developer-account privileges. StepSecurity caught the bad versions about 20 minutes after publication, which is fast for human response and slow for a worm.
The OpenAI specific detail is what should make every engineering org rerun their patch report. OpenAI had already hardened against this class of attack after the Axios incident. The two compromised laptops had simply not picked up the updated controls yet. Drift between intended baseline and actual fleet state turned a solved problem back into an unsolved one. The attackers also walked away with macOS code-signing certificates from internal repos those laptops could read. Anyone running ChatGPT Desktop, Codex, or the Atlas app on Mac has until June 12 to update or watch macOS Gatekeeper block the binary, because Apple has already invalidated notarization on the old certs.
The other piece worth naming: the payload installs a persistent daemon that watches for token revocation, and if the stolen GitHub token gets pulled, it wipes the victim's home directory. That's a dead-man's switch in a JavaScript package. We've moved past credential theft into operational sabotage as a default capability.
What this changes for builders. Treat lockfiles as advisory, not authoritative. Pin to specific versions in CI, mirror npm into a private proxy that quarantines new releases for at least an hour, and audit your fleet for drift on the security controls you already shipped. Postinstall scripts should not have unrestricted network egress on engineering laptops. And if your codebase is the publishing surface for anyone else, your maintainer credentials are now critical infrastructure, not developer convenience. Mini Shai-Hulud is the proof that npm, PyPI, and every other registry are now part of the attack graph, whether you treat them that way or not.