https://openai.com/index/our-response-to-the-tanstack-npm-supply-chain-attack
OpenAI has confirmed it was caught up in a supply chain attack targeting TanStack, a popular open-source library widely used by JavaScript developers to build web applications and data management tools. The attack involved a threat actor injecting malicious code into a dependency associated with the TanStack ecosystem, which was then unknowingly pulled into affected projects during routine software builds. OpenAI’s exposure to the breach was confirmed after security researchers identified that the malicious package had made its way into parts of the company’s development infrastructure.
Supply chain attacks of this nature are particularly dangerous because they exploit the trust developers place in open-source packages and the automated systems that fetch and install them. Rather than attacking a target directly, threat actors compromise a legitimate upstream component that is then distributed to potentially thousands of organisations simultaneously. In this case, the malicious code was designed to exfiltrate sensitive information, meaning any organisation that unknowingly incorporated the compromised package may have had data silently stolen without any obvious signs of intrusion.