OpenAI confirms data theft after supply chain attack on TanStack
Original: OpenAI says hackers stole some data after latest code security issue
Why This Matters
Supply chain attacks pose growing threat to AI companies' security infrastructure
OpenAI disclosed that hackers stole credentials from internal code repositories after two employees' devices were compromised in a supply chain attack targeting TanStack open source library. The attack occurred during a six-minute window on Monday.
OpenAI confirmed Wednesday that two employees had devices compromised in a supply chain attack on TanStack, a popular open source web development library. Hackers published 84 malicious versions of TanStack software in a six-minute window on Monday, containing malware designed to steal credentials and self-propagate. OpenAI said unauthorized access led to theft of 'limited credential material' from internal source code repositories accessible to the affected employees. The company found no evidence of user data access, production system compromise, or intellectual property theft. As a precaution, OpenAI is rotating digital certificates used to sign its products, requiring macOS app updates. The attack is part of a recent string of supply chain compromises targeting software developers.