OpenAI confirms two devices compromised in TanStack supply-chain attack

OpenAI has found no evidence that its user data was accessed after a security issue involving a supply-chain attack on TanStack npm, an open-source library.

The ChatGPT-maker said it found no evidence that its production systems or intellectual property were compromised, or that its software was altered.

According to OpenAI, two employee devices in its corporate environment were impacted after TanStack, a widely used open-source library, was compromised earlier this week.

Cybernews has previously reported that hundreds of malicious packages were flagged in NPM and PYPI repositories, including those from TanStack and Mistral. It was part of a major hacking campaign targeting millions of developers.

The malware steals credentials and wipes all data when it’s done. On Monday, hackers published 84 malicious versions across 42 TanStack packages, which are popular among developers who build web applications.

Now, OpenAI claims that limited credential material was exfiltrated from these code repositories and no other information or code was impacted. The company added that it isolated the impacted systems immediately after the attack and temporarily restricted code-deployment workflows to contain the impact.

The Cybernews community is talking about this. Be a part of the conversation.

According to OpenAI, it is now rotating code-signing certificates, which would require macOS users to update their applications. The company did not immediately respond to a Reuters request for further details.

---

Unlock more exclusive Cybernews content on YouTube.