Home > Security > Security News

OpenAI Addresses TanStack NPM Supply-Chain Attack Impact: ⁠Production Systems, Intellectual Property Not Compromised

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
OpenAI Logo
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Data security: OpenAI states that there is no evidence that user data or intellectual property was accessed.
  • Impacted devices: Two corporate employee devices were affected following the library breach.
  • Mitigation protocol: Code-signing certificates are rotating, requiring macOS users to update applications.

OpenAI announced on Wednesday that a recent security issue involving a supply-chain attack on the open-source library TanStack npm did not result in the access of user data. The company stated that internal reviews found no evidence that its production systems or intellectual property were compromised, nor that any of its software was altered during the incident.

Corporate Environment and Credential Exfiltration

The security incident occurred when TanStack, an npm package and widely used open-source library, experienced a supply chain compromise earlier this week. Following this external breach, OpenAI confirmed that two employee devices operating within its corporate environment were directly impacted, Reuters has reported.

The announcement mentions that attackers exfiltrated limited credential material from specific code repositories during the unauthorized access. However, the organization noted that no other sensitive information or code was impacted by the security event.

To effectively contain the operational impact, the AI firm immediately isolated the impacted systems upon discovering the intrusion. Furthermore, OpenAI temporarily restricted internal code-deployment workflows to secure its network architecture and prevent downstream vulnerabilities.

Mitigation Efforts

As part of its ongoing mitigation efforts, OpenAI is currently rotating its code-signing certificates. Because of this infrastructure update, macOS users will need to update their applications by June 12, 2026.

On May 11, an attacker published 84 malicious versions across 42 TanStack npm packages, ultimately resulting in credential theft targeting common locations such as AWS IMDS/Secrets Manager, GCP metadata, Kubernetes service account tokens, Vault tokens, ~/.npmrc, GitHub tokens (env, gh CLI, .git-credentials), and SSH private keys.

In March, BeyondTrust Phantom Labs identified an OpenAI Codex command injection flaw that exposed GitHub credentials. In other recent news, Mistral announced it was affected by the TanStack supply chain attack.

Add a Comment
Related
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Suspected German Dream Market Admin Indicted and Arrested for Laundering Illegal Proceeds
Fortinet Patches Critical RCE Vulnerabilities in FortiSandbox and FortiAuthenticator
Canvas Cyberattack: Instructure Pays ShinyHunters Ransom, US House Committee Asks for Investigation
Sophos 2026 Report Details Escalating Security Threats: Identity Security Breaches Cost $1.6 Million
Most Popular
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Iran internet blackout women impact online livelihood hit!!!
Women in Iran Hit Hard as Internet Blackouts Collapse Online Work and Income
Russia official says full VPN ban impossible in crackdowns
Russia Official Says Fully Banning VPNs Is ‘Impossible’ Amid Internet Crackdown
Suspected German Dream Market Admin Indicted and Arrested for Laundering Illegal Proceeds
Utah Age Verification Law Challenged by Pornhub's Aylo in Court
Pornhub Owner Sues Utah Over New Child Protection Law Targeting Adult Websites
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Women in Iran Hit Hard as Internet Blackouts Collapse Online Work and Income
Russia Official Says Fully Banning VPNs Is ‘Impossible’ Amid Internet Crackdown
Suspected German Dream Market Admin Indicted and Arrested for Laundering Illegal Proceeds
Pornhub Owner Sues Utah Over New Child Protection Law Targeting Adult Websites

Most Popular
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Iran internet blackout women impact online livelihood hit!!!
Women in Iran Hit Hard as Internet Blackouts Collapse Online Work and Income
Russia official says full VPN ban impossible in crackdowns
Russia Official Says Fully Banning VPNs Is ‘Impossible’ Amid Internet Crackdown
Suspected German Dream Market Admin Indicted and Arrested for Laundering Illegal Proceeds
Utah Age Verification Law Challenged by Pornhub's Aylo in Court
Pornhub Owner Sues Utah Over New Child Protection Law Targeting Adult Websites
Iran-Linked MuddyWater Group Breached Organizations in 9 Countries in Q1 2026, Including Major Electronics Maker
TeamPCP Claims Mistral AI Breach, the Company Announces Being Impacted by the TanStack Supply Chain Attack
Women in Iran Hit Hard as Internet Blackouts Collapse Online Work and Income
Russia Official Says Fully Banning VPNs Is ‘Impossible’ Amid Internet Crackdown
Suspected German Dream Market Admin Indicted and Arrested for Laundering Illegal Proceeds
Pornhub Owner Sues Utah Over New Child Protection Law Targeting Adult Websites

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: