
OpenAI says hackers stole some data after latest code security issue
Quick Answer
OpenAI confirmed that hackers compromised two employees' devices through an attack on the TanStack library, but found no evidence of user data access or software alteration.
Quick Take
OpenAI confirmed that hackers compromised two employees' devices through an attack on the TanStack library, but found no evidence of user data access or software alteration. The attack involved 84 malicious software versions designed to steal credentials and propagate malware.
Key Points
- Hackers hijacked TanStack, releasing 84 malicious software versions in six minutes.
- OpenAI's internal source code repositories experienced unauthorized access but limited credential theft.
- The attack is part of a larger trend of supply-chain attacks targeting open source projects.
- OpenAI is rotating digital certificates as a precaution after the incident.
- Previous supply-chain attacks have been linked to groups like TeamPCP and North Korean hackers.
📖 Reader Mode
~3 min readEarlier this week, hackers hijacked several open source projects used by dozens of companies and pushed updates designed to spread malware. This is the latest in a string of recent supply-chain attacks targeting software developers and their projects.
On Wednesday, OpenAI confirmed that two employees had their devices “impacted by this attack.” But, after an investigation, the company said in a blog post that it found “no evidence that OpenAI user data was accessed, that our production systems or intellectual property were compromised, or that our software was altered.”
OpenAI said that employees’ devices were compromised by an earlier attack on TanStack, a popular open source library that helps developers build web apps.
On Monday, TanStack disclosed the attack and published a postmortem, saying hackers published 84 malicious versions of its software during a six-minute window. The project said a researcher detected the attack within 20 minutes. The malicious TanStack versions included malware that was designed to steal credentials from computers that the software was installed on and to self-propagate to spread to other systems.
Contact Us
Do you have more information about this supply chain attack? Or other supply chain compromises? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
On its part, OpenAI said that it saw unauthorized access and theft of credentials “in a limited subset of internal source code repositories to which the two impacted employees had access.”
According to the AI giant, “only limited credential material” was taken from the affected code repositories. As a precaution, given that the affected repositories contained digital certificates used to sign OpenAI’s products, the company said it’s rotating the certificates “as a precaution,” which will require macOS users to update the app.
“We have found no evidence of compromise or risk to existing software installations,” the company wrote.
It's not clear who is behind the TanStack attack. Some of the past supply-chain hacks have been attributed to a hacking gang known as TeamPCP, a group that was itself a target of hackers.
But there have been other groups that have employed the same tactics against other projects. In March, North Korean hackers hijacked Axios, a popular open source development tool, and pushed malware that could have infected millions of developers. And in May, Chinese hackers were accused of a similar attack targeting thousands of Windows computers running disc-imaging software Daemon Tools.
In these attacks, instead of targeting specific companies, hackers take over open source projects and push out malware disguised as innocuous regular updates. This allows them to potentially compromise dozens of targets with just one hack, spreading the damage across the internet.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.
You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.
— Originally published at techcrunch.com
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from TechCrunch
See more →
Qualcomm wants to be the chip inside whatever replaces your smartphone, and it just announced two products toward that end
Qualcomm is developing over 40 new AI hardware designs aimed at becoming the core technology in devices that will replace smartphones. This strategic move highlights Qualcomm's ambition to lead in the next generation of mobile computing, focusing on AI integration across various platforms.



