Earlier this week, hackers hijacked several open source projects used by dozens of companies and pushed updates designed to spread malware. This is the latest in a string of recent “supply chain” attacks targeting software developers and their projects.
On Wednesday, OpenAI confirmed that two employees had their devices “impacted by this attack.” But after an investigation, the company stated in a blog post that it found “no evidence that OpenAI user data was accessed, that our production systems or intellectual property were compromised, or that our software was altered.”
OpenAI indicated that employees’ devices were compromised by an earlier attack on TanStack, a popular open source library that aids developers in building web apps.
On Monday, TanStack disclosed the attack and published a post-mortem, explaining that hackers released 84 malicious versions of its software during a six-minute window. A researcher detected the attack within 20 minutes. The malicious TanStack versions included malware meant to steal credentials from computers where the software was installed and to self-propagate to other systems.
OpenAI reported unauthorized access and credential theft “in a limited subset of internal source code repositories to which the two impacted employees had access.”
The AI giant mentioned that “only limited credential material” was taken from the affected code repositories. As a precaution, since the affected repositories contained digital certificates used to sign OpenAI’s products, the company is rotating the certificates, which will necessitate macOS users to update the app.
“We have found no evidence of compromise or risk to existing software installations,” the company stated.
The identity of those behind the TanStack attack remains unclear. Some past supply chain hacks have been attributed to a hacking group known as TeamPCP, which was itself a target of hackers.
Other groups have used similar tactics against different projects. In March, North Korean hackers hijacked Axios, a popular open source development tool, spreading malware that could have infected millions of developers. In May, Chinese hackers were accused of a similar attack targeting thousands of Windows computers running disc imaging software Daemon Tools.
In these attacks, hackers do not target specific companies but instead take over open source projects and distribute malware disguised as regular updates. This allows them to potentially compromise numerous targets with a single hack, spreading the damage across the internet.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.