OpenAI caught NPM supply chain chaos after employeedevices compromised
OpenAI experienced a security breach due to compromised employee devices, leading to the theft of internal credentials. The incident is part of a larger supply chain attack campaign targeting npm ecosystems. OpenAI has since rotated signing certificates for several products as a precautionary measure.
- ▪Attackers stole internal credentials from two employee devices after malware infiltrated through poisoned packages.
- ▪OpenAI stated that there is no evidence of customer data or production systems being compromised.
- ▪The company is requiring users to update affected software by June 12 due to the incident.
Opening excerpt (first ~120 words) tap to expand
(function() { let windowUrl = window.location.href; windowUrl = windowUrl.substring(windowUrl.indexOf('?') + 1); let messageElement = document.querySelector('.shareableMessage'); if (windowUrl && windowUrl.includes('code') && windowUrl.includes('expires')) { messageElement.style.display = 'block'; } })(); Security OpenAI caught in TanStack npm supply chain chaos after employee devices compromised Attackers stole a limited amount of internal credential material after malware hidden in poisoned packages reached two staff machines Carly Page Carly Page Published fri 15 May 2026 // 11:08 UTC OpenAI says attackers behind the TanStack npm supply chain compromise stole internal credentials after reaching two employee devices, forcing the company to rotate signing certificates for several desktop…
Excerpt limited to ~120 words for fair-use compliance. The full article is at theregister.