OpenAI confirms limited credential theft following TanStack supply chain breach
While internal source code repositories were accessed, the company states that no user data, production systems, or intellectual property were compromised in the incident linked to the TanStack library attack.
OpenAI has confirmed that hackers compromised the devices of two employees following a supply chain attack on the open-source library TanStack. The company stated that while limited credentials were stolen from internal source code repositories, no user data, production systems, or intellectual property were accessed. OpenAI is rotating digital certificates as a precaution, requiring macOS users to update its application.
The breach stems from an incident on Monday where hackers published 84 malicious versions of the TanStack software during a six-minute window. A researcher detected the attack within 20 minutes of its publication. The malicious versions contained malware designed to steal credentials and self-propagate to other systems, a tactic that allows attackers to potentially compromise dozens of targets with a single hack.
OpenAI observed unauthorized access and the theft of credentials in a limited subset of internal source code repositories accessible to the two impacted employees. The company emphasised that only limited credential material was taken from the affected code repositories. Crucially, OpenAI stated there is no evidence of compromise or risk to existing software installations, nor was any intellectual property or user data accessed.
As a precautionary measure, OpenAI is rotating the digital certificates used to sign its products. This process will require macOS users to update the application to ensure continued security. The company noted in a blog post that it found no evidence that its production systems or intellectual property were compromised, or that its software was altered.
The incident is part of a broader trend of supply chain attacks targeting software developers and their open-source projects. In March, North Korean hackers hijacked Axios, a popular open-source development tool, pushing malware that could have infected millions of developers. In May, Chinese hackers were accused of a similar attack targeting thousands of Windows computers running disc imaging software Daemon Tools.
While some past supply chain hacks have been attributed to a hacking gang known as TeamPCP, this group has also been a target of other hackers. It remains unclear who is behind the TanStack attack, as other groups have employed similar tactics against other projects.
