OpenAI details fallout from TanStack npm supply-chain attack

A compromised dependency chain reached OpenAI apps, forcing macOS users to update by June 12, 2026. The practical takeaway is simple: audit signing paths and third-party packages now, not after the alert lands.

• —The incident is tied to the TanStack Mini Shai-Hulud attack, so this was not an isolated app bug but a broader npm supply-chain breach.
• —OpenAI says it secured internal systems and signing certificates; that puts code-signing infrastructure, not just package locks, on the threat model.
• —macOS users must update OpenAI apps by 2026-06-12. If a dev tool touches local files or credentials, delayed updates are a real risk.
• —The useful lesson is operational: dependency monitoring, certificate hygiene, and forced-update paths need to exist before the next package compromise.