A threat actor tracked as TeamPCP compromised over 170 npm and PyPI packages — including TanStack, Mistral AI, UiPath, Guardrails AI, and OpenSearch — via stolen CI/CD credentials, reaching two OpenAI developer endpoints and exposing code-signing certificates for OpenAI’s macOS, Windows, iOS, and Android desktop applications. Any organization consuming the affected packages faces potential credential theft and build artifact contamination. OpenAI has set a hard deadline of 2026-06-12 for macOS users to update before certificate validation failures cause application failures.