NewsNTech
Decompiled: How a Poisoned TanStack Package Punched Two OpenAI Laptops Behind the meter on the latest npm supply-chain hit: a malware strain called Mini Shai-Hulud rode legitimate publishing credentials into 84 tainted releases across 42 packages, including @tanstack/react-router — a router pulling 12 million weekly downloads.
Two engineering laptops inside OpenAI ran npm install before the policy fence caught up. That's the whole story in one sentence, and it's also why the rest of this matters.
OpenAI says no production systems, customer data, or model weights were touched. The forensic firm it brought in confirmed the blast radius stopped at two endpoints.
But "stopped at two endpoints" still means the attackers walked off with code-signing certificates for the macOS builds of ChatGPT Desktop, Codex, and Atlas.
Keep reading