Dispatch
OpenAI Responds to TanStack 'Mini Shai-Hulud' npm Supply Chain Attack — macOS Users Must Update by June 12
OpenAI disclosed its response to the Mini Shai-Hulud worm that compromised 169 npm packages including TanStack and Mistral. Two employee devices lacked updated configurations to prevent malware download. OpenAI is revoking signing certificates by June 12, 2026 — after that date, older macOS OpenAI apps will be blocked. The company hardened CI/CD credentials and deployed package provenance validation.
Source
↳ Follow the thread