The company assured that the incident only affected devices of two employees and that no user data, production systems, or intellectual property were compromised. They rotate certificates as a preventive measure.
This week, hackers compromised several open-source projects used by dozens of companies and distributed malicious updates to spread malware. This is a new case of supply chain attacks targeting software developers.
OpenAI reported that two of its employees had their devices affected by this incident. After an internal investigation, the company stated that there is no evidence of access to user data, compromise of production systems, or theft of intellectual property.
The attack originated in TanStack, a popular open-source library that helps build web applications. On Monday, the project published a detailed report revealing that the attackers published 84 malicious versions of their software in a window of just six minutes. A researcher detected the anomaly in less than 20 minutes.
The infected versions included malware designed to steal credentials from the computers where it was installed and automatically propagate to other systems.
Limited access to internal repositories
According to OpenAI, the affected employees suffered unauthorized access and credential theft in a limited subset of internal source code repositories. Only limited credential material was extracted from those repositories.
As a precaution, since some repositories contained digital certificates used to sign OpenAI products, the company decided to rotate those certificates. This measure will require macOS users to update the application.
“We found no evidence of compromise or risk to existing software installations,” the company detailed in its statement.
This type of supply chain attack has become increasingly common. Instead of directly targeting a specific company, cybercriminals compromise popular open-source projects and distribute fake updates that appear legitimate. In this way, they can affect multiple targets with a single move.
Recent background
In March, North Korean hackers compromised Axios, another open-source development tool, and distributed malware that could have infected millions of developers. In May, Chinese actors were accused of a similar attack against thousands of Windows computers using disk imaging software called Daemon Tools.
In the case of TanStack, it is still unclear who is behind the attack. Some previous similar incidents were attributed to the TeamPCP group, although there are also other actors employing the same tactics.
OpenAI emphasized that the impact was limited to the employees' devices and did not reach their core systems. The company continues to monitor the situation and recommends its users stay alert for security updates, especially regarding the rotation of certificates.
