Executive Summary: As per sources OpenAI confirmed security breach as employee devices were compromised during the attack termed as supply chain attack connected to TanStack npm Ecosystem.

Open AI Cyber Breach A supply Chain Imapct– TanStack npm Ecosystem

The software supply chain attack connected to the TanStack npm ecosystem was carried out by TeamPCP, via a campaign called “Mini Shai-Hulud.

The purpose was to spread malicious code through trusted software packages, with no customer data, production systems, or intellectual property leaked or stolen.

The impacted source code repositories included signing certificates for OpenAI based products, including iOS, macOS and Windows. The security team rotated code-signing certificates as a precaution, which will require macOS users to update their applications.

Users do not need to take any action for Windows and iOS apps. Additional guidance will be provided to macOS users regarding these required updates. Open AI’s team also reviewed all notarization of software using our previous certificates to confirm no unexpected software signing has occurred with these keys.

What makes the attack significant

The attack reflects a broader shift in the threat landscape where attackers are increasingly targeting shared software dependencies and development tooling rather than any single company.

Most of modern software is built on a deeply interconnected ecosystem of open-source libraries, package managers, and continuous integration and continuous deployment infrastructure.

Open AI further validated their published software that have no unauthorized modifications, neither evidence of compromise or risk to existing software installations were found.

Compromised Packages

Package	Compromised Versions
@mistralai/mistralai	2.2.3, 2.2.4
@tanstack/router-utils	1.161.11, 1.161.14
@tanstack/router-core	1.169.5, 1.169.8
@opensearch-project/opensearch	3.6.2
@uipath/docsai-tool	1.0.1

What happens when a vulnerability introduced upstream can propagate widely and quickly across organizations.

Any weakness can rapidly spread to many organizations that depend on it. The attack published malicious versions through the project’s own GitHub Actions release pipeline using hijacked OIDC tokens.

The compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly-attested malicious packages. The worm has since spread beyond TanStack to packages from UiPath, DraftLab etc.

What the Malicious Payload Does

The payload router_init.js is identical across all compromised @tanstack packages (SHA-256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c). It is a 2.3 MB single-line JavaScript file that, once deobfuscated, reveals a sophisticated multi-stage credential stealer with persistence, exfiltration and self-destruction capabilities.

Conclusion:

Many companies use the same software, frameworks, cloud services, or open-source components. If a vulnerability exists in that shared technology, every organization using it may become exposed.

Because modern software ecosystems are highly interconnected, the vulnerability can spread quickly across cloud environments, application and supplychain.

OpenAI is said to be continuing to invest in controls that validate the integrity and provenance of third-party components and to strengthen our defenses against these kinds of ecosystem-level supply chain attacks.

Sources: Our response to the TanStack npm supply chain attack | OpenAI