OpenAI disclosed that the TanStack supply chain attack led to credential material being exfiltrated from internal source code repositories after two employee devices were infected. The company said it rotated credentials, revoked sessions, and re-signed applications after compromising code-signing certificates for its products. #OpenAI #TanStack #TeamPCP #ShaiHulud
Keypoints
- TanStack was hit on May 11 through a package publishing process weakness.
- TeamPCP released 84 malicious artifacts across 42 packages.
- More than 170 NPM and PyPI packages were compromised in the coordinated campaign.
- OpenAI had two employee devices infected and some credentials exfiltrated.
- OpenAI revoked certificates, rotated credentials, and required macOS app updates.
Read More: https://www.securityweek.com/openai-hit-by-tanstack-supply-chain-attack/