OpenAI impacted by TanStack supply-chain attack.

Summary

By the N2K CyberWire staff

OpenAI impacted by TanStack supply-chain attack.

OpenAI has disclosed that two of its employee devices were compromised by a supply-chain attack that affected the TanStack npm library earlier this week, SecurityWeek reports. TanStack, an open-source React framework, was Trojanized by the Shai-Hulud worm, which has been used by the TeamPCP criminal threat actor to launch widespread supply-chain attacks against the npm and PyPI open-source ecosystems. The attack on TanStack then spread to nearly 400 other packages.

OpenAI says it's "found no evidence that OpenAI user data was accessed, that our production systems or intellectual property were compromised, or that our software was altered." The company is "taking steps to protect the process that certifies our macOS applications are legitimate OpenAI apps," and will require all users to update their macOS applications by June 12, 2026.

The browser is the new endpoint. Are you securing it?

Today’s work happens in the browser - but that’s also where new risks live. From shadow IT to session-based threats, critical activity often goes unseen.

NordLayer Browser gives IT teams visibility and control inside the browser itself—helping protect company data and enforce security across SaaS apps without disrupting workflows.

If your security stack stops short of the browser, it may be time to take a closer look.

Shai-Hulud code has been leaked.

Two days after the TanStack incident, someone claiming to be affiliated with TeamPCP released the complete source code of the Shai-Hulud worm. Researchers at Datadog say the code appears to be legitimate, noting that the framework is "a modular TypeScript/Bun toolkit for credential harvesting, supply chain poisoning, and encrypted data exfiltration, targeting both CI/CD pipelines and developer workstations."

The code was posted online on Tuesday. It's unclear if the individual who posted the code is actually associated with TeamPCP, and their motivations for posting the code are unknown.

Iran’s evolving cyber playbook.

Iran’s cyber operations have evolved beyond destructive malware, with actors pivoting to target identity systems. Dave Bittner sat down with Sam Rubin, Senior Vice President at Palo Alto Networks, to discuss how Iranian groups are weaponizing stolen credentials and trusted access to reach high-value targets. Whether it be attacking vulnerable trusted parties or crafting documents loaded with malware, listen to the conversation to learn how Iran’s pivot is impacting the cybersecurity landscape.

Microsoft warns of critical zero-day in on-prem Exchange Servers.

Microsoft yesterday published an advisory on an unpatched vulnerability (CVE-2026-42897) affecting Outlook Web Access in on-premises Exchange Servers, Infosecurity Magazine reports. Microsoft states, "An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context."

Microsoft is working on a patch and urges users to apply mitigations in the meantime. The recommended mitigation is to enable the Exchange Emergency Mitigation (EM) Service.

Notes.

Today's issue includes events affecting , and the United States.

Attacks, Threats, and Vulnerabilities

Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor (Darktrace) Darktrace researchers identified a Twill Typhoon–linked China‑nexus campaign targeting APJ customers. The activity observed includes CDN impersonation, legitimate binaries, and DLL sideloading to deploy a modular .NET RAT.

Inside the Underground Market That Unlocks Stolen iPhones (Infoblox Blog) Stolen iPhones are worthless when locked—until thieves use lookalike domains and underground unlocking tools to bypass Apple’s security and pwn the phone.

Legislation, Policy, and Regulation

What's Next for the Proposed HIPAA Security Rule Overhaul? (BankInfoSecurity) Will Regulators Make the May Deadline, and What Changes Will Make the Cut?

Industry Events

For a complete running list of events, please visit the Event Tracker.

Newly Noted Events

ESET World (Virtual and Berlin, Germany, May 19 - 20, 2026) Connect with CISOs, renowned threat hunters and cyber experts who advise top organizations and global institutions, helping shape a more resilient world.

Events

ASCEND 2026 (Washington, DC, USA, May 19 - 21, 2026) ASCEND connects the civil, commercial, and national security space sectors, along with adjacent industries, to embrace the opportunities and address the challenges that come with increased activity in space. Building our sustainable off-world future requires long-term thinking. Strategic planning, innovation, scientific exploration, and effective regulations and standards will help us preserve space for future generations. ASCEND will enable the technical exchanges, debates, and collaboration that will help forge a sustainable off-world future for all.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 05.15.26

Top stories.

OpenAI impacted by TanStack supply-chain attack.

Shai-Hulud code has been leaked.

Microsoft warns of critical zero-day in on-prem Exchange Servers.

Notes.

Attacks, Threats, and Vulnerabilities

Legislation, Policy, and Regulation

Newly Noted Events

Events