OpenAI confirms security breach in TanStack supply chain attack

OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution.

In a security advisory published today, the company said the incident did not impact customer data, production systems, intellectual property, or deployed software.

The company says the breach is linked to the recent "Mini Shai-Hulud" supply-chain campaign by the TeamPCP extortion gang, which targeted developers by slipping malicious updates into trusted and popular software packages.

"We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access," OpenAI explained.

The company says that only limited credentials were stolen from the repositories in the attack and that there is no evidence they were used in additional attacks.

OpenAI confirms security breach in TanStack supply chain attack

Other newsrooms on this story

Related reading

OpenAI says no user data breached after security issue with open-source library

Other newsrooms on this story

Related reading

OpenAI says no user data breached after security issue with open-source library

TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS…

OpenAI caught in TanStack npm supply chain chaos after employee devices…

Mistral AI SDK, TanStack Router hit in npm software supply chain attack

OpenAI identifies security issue involving third-party tool, says user data was…

OpenAI says hackers stole some data after latest code security issue |…