OpenAI says no user data compromised in supply-chain security incident
14 May 2026
OpenAI has confirmed that no user data was compromised in a recent security incident involving the open-source TanStack npm library.
The company issued a security update on its official website, detailing the issue as part of a larger software supply-chain attack campaign called "Mini Shai-Hulud."
This campaign targeted open-source developer ecosystems such as npm and PyPI.
Attack exploited vulnerabilities in CI/CD systems
Cyber intrusion
The TanStack npm library attack saw hackers publish 84 malicious versions across 42 @tanstack/* npm packages.
They exploited vulnerabilities in GitHub Actions workflows and CI/CD cache systems.
The malicious packages were designed to steal credentials such as GitHub tokens, cloud API keys, npm credentials, and CI/CD secrets from compromised systems.
Limited exposure of internal data
Company measures
OpenAI revealed that two of its employee devices were affected by the attack.
The company said it observed "unauthorized access and credential-focused exfiltration activity" involving a limited subset of internal source-code repositories accessible to those employees.
However, it emphasized that only a small amount of credential material was successfully exfiltrated, and no evidence was found indicating customer data, production systems, intellectual property, or software code had been compromised.
OpenAI took several precautionary measures
Fact
In light of the incident, OpenAI took several precautionary measures. These included isolating impacted systems, revoking sessions, rotating credentials, and updating security certificates for some products.
Incident underscores growing threat to open-source software supply chains
Industry concerns
The incident has raised alarms over security vulnerabilities in open-source software supply chains, especially npm ecosystems.
These are widely used across the tech industry and have been targeted by recent attacks on popular JavaScript packages and developer tools.
Academic and industry studies have long warned about the rising threat of malicious npm packages and compromised maintainer accounts.
-
BAN vs PAK: Mushfiqur Rahim scored a century, then kicked him on the helmet, also fought with the Pakistani captain
-
This one has become Kohli and ‘Virat’… the new incarnation of cricket’s “Alexander the Great”
-
Every girl does these things when she becomes young, these things are very interesting…know them – News Himachali News Himachali
-
Trump’s biggest offer to Iran! Crude oil may become cheaper in the world
-
Guru Gochar 2026: Jupiter will enter its higher zodiac sign in June, golden time will begin for these 4 zodiac signs!
