OpenAI released an official statement on May 14 regarding the recent "Mini Shai-Hulud" supply chain attack. After detecting malicious attacks targeting the popular open-source library TanStack and several commonly used npm packages, the security team has completed an internal system review, which showed that there is currently no evidence of any user data being leaked or accessed illegally.

Although OpenAI's core services were not compromised in this attack, the company issued a critical security reminder, considering the security of local environments.

macOS users must update by the deadline

OpenAI pointed out that to ensure terminal security and defend against potential risks, all macOS users using its official applications must complete the software update by June 12, 2026.

The affected TanStack is an open-source toolset widely used in front-end development. A "supply chain attack" refers to attackers implanting malicious code into underlying tools or software packages commonly used by developers, thereby infiltrating large platforms that use these tools.

Since OpenAI also uses such open-source libraries in its development process, the quick intervention of the security team effectively prevented the spread of risks. Currently, OpenAI is working with security researchers to continuously strengthen monitoring of third-party dependencies to ensure the privacy and security of its hundreds of millions of global users.