OpenAI said it found no evidence that user data was accessed following a security issue linked to a supply-chain attack on TanStack npm, an open-source library widely used by developers.

According to Reuters, the company said on Wednesday that there was no indication its production systems or intellectual property had been compromised. It also said its software had not been altered during the incident.

Two Employee Devices Impacted

However, OpenAI confirmed that two employee devices within its corporate environment were affected after the TanStack library was compromised earlier this week.

The company said limited credential material was exfiltrated from certain code repositories. Still, it added that no other information or code was impacted.

Reuters reported that OpenAI immediately isolated the affected systems after detecting the attack. In addition, the company temporarily restricted its code-deployment workflows to contain the potential impact.

Security Measures Implemented

As part of its response, OpenAI said it is rotating code-signing certificates. Because of this, macOS users will need to update their applications.

The company did not immediately respond to a Reuters request for additional details.

Growing Focus on Supply-Chain Security

The incident highlights ongoing concerns around supply-chain attacks targeting open-source software ecosystems. Such attacks can affect multiple organizations when widely used libraries or dependencies are compromised.

Even so, OpenAI maintained that there is no evidence of unauthorized access to user data, production environments, or core systems following the TanStack-related attack.

Related post

View all