- OpenAI confirmed that two employee devices were affected in the TanStack “Mini Shai-Hulud” supply chain attack
- The malware extracted limited credential material from internal code repositories; no client data or IP is affected
- OpenAI revoked sessions, rotated credentials, and signed certificates; macOS users must update apps, Windows/iOS is not affected
OpenAI confirmed that two employee devices were affected by the recent attack on TanStack’s supply chain, but emphasized that the incident left almost no trace on its operations.
A threat actor known as TeamPCP recently launched the “Mini Shai-Hulud” supply chain attack, in which 84 versions of the TanStack npm package were compromised and used to distribute malware.
The malware that TeamPCP smuggled was designed to harvest developer credentials, cloud secrets, and SSH keys. It is probably called “Mini Shai-Hulud” because it self-propagates throughout the ecosystem, similar to how the previous Shai-Hulud worm did. The name comes from the giant worms in the Dune novels.
Confirming the attack
Now, OpenAI has confirmed that two employee devices in its corporate environment were affected.
“We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two affected employees had access,” OpenAI said in a blog post.
“We confirm that only limited credential material was successfully extracted from these code repositories and that no other information or code was affected.”
In response to the incident, OpenAI isolated affected systems and identities, revoked user sessions, and rotated all credentials. The company also temporarily restricted code deployment workflows, but so far there has been no evidence that customer data or intellectual property has been affected. There is also no evidence of credential misuse or subsequent access.
The affected source code repositories included signing certificates for OpenAI products, including iOS, macOS, and Windows, forcing the company to rotate code signing certificates as a precaution. As a result, macOS users will need to update their apps. Windows and iOS app users are not required to do anything.
TanStack is a collection of free software tools that help developers manage data and create user interfaces for websites and applications. Across its library ecosystem, TanStack has been downloaded more than four billion times. The total ecosystem currently receives more than 177 million downloads per week.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
