On May 14, OpenAI confirmed that the CVE-2026-45321 supply chain campaign — which seeded malicious versions of TanStack packages, UiPath npm packages, Mistral AI PyPI packages, OpenSearch JS client, and Guardrails AI across a six-minute window on May 11 — had compromised two employee devices. The breach exposed macOS code-signing certificates used by OpenAI's desktop applications. OpenAI has since re-signed its macOS apps with new certificates and is requiring users to update their OpenAI desktop applications by June 12, 2026, after which the old-certificate builds will no longer be trusted. This disclosure significantly raises the severity profile of the original TanStack incident, which had previously been understood primarily as a developer-credential theft campaign. The exposure of a major AI vendor's code-signing infrastructure demonstrates that Shai-Hulud-style attacks can propagate upward from developer tooling into released software supply chains. MacOS users of OpenAI desktop apps must update before the June 12 cutoff. Security teams that deployed any of the affected TanStack, UiPath, Mistral AI, or OpenSearch packages in the May 11 window should re-audit CI/CD credential exposure, as the confirmed vendor breach indicates exfiltrated tokens were likely validated and used.