OpenAI confirmed that a software supply-chain attack compromised two of its employee devices. [3, 7] The breach was caused by malicious versions of a widely-used open-source library known as TanStack npm, which was part of a broader hacking campaign. [1, 3, 5] The attackers conducted unauthorized access and successfully exfiltrated a limited amount of credential material from the compromised devices. [1, 4]
OpenAI stated that its investigation found no evidence that customer data, production systems, or intellectual property had been accessed or stolen. [2, 7, 9] The company responded by isolating the impacted systems, rotating credentials, and updating security certificates to contain the threat. [1] The incident highlights the growing security risks associated with open-source software dependencies in corporate environments. [3]