Earlier this week, hackers took over many open source projects used by dozens of companies and pushing updates designed to spread malware. This is the latest in a series of recent supply chain attacks targeting software developers and their projects.
On Wednesday, OpenAI confirmed that two employees had their devices “affected by this attack.” But after investigation, the company said in a blog post that it found “no evidence that OpenAI user data was accessed, that our production systems or intellectual property was compromised, or that our software was modified.”
OpenAI said the workers’ devices were compromised by an earlier attack on TanStack, a popular open-source library that helps developers build web applications.
On Monday, TanStack revealed the attack and published a postmortem, saying hackers released 84 malicious versions of its software in a six-minute window. The project said a researcher detected the attack within 20 minutes. The malicious TanStack releases included malware designed to steal credentials from computers on which the software was installed and self-propagate to spread to other systems.
Contact us
Do you have more information about this supply chain attack? Or other supply chain compromises? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
For its part, OpenAI said it saw unauthorized access and stolen credentials “to a limited subset of internal source code repositories accessed by the two affected employees.”
According to the AI giant, “only limited credential material” was obtained from the affected code repositories. As a precaution, since the affected repositories contained digital certificates used to sign OpenAI products, the company said it is replacing the certificates “preemptively,” which will require macOS users to update the app.
“We found no evidence of compromise or risk to existing software installations,” the company wrote.
It is not clear who is behind the TanStack attack. Some of the previous supply chain hacks have been attributed to a hacking gang known as TeamPCP, a group that has itself been targeted by hackers.
But there have been other groups that have used the same tactic against other projects. In March, North Korean hackers took over Axios, a popular open source development tool, and pushed malware that could have infected millions of developers. And in May, Chinese hackers were blamed for a similar attack that targeted thousands of Windows PCs running Daemon Tools disk imaging software.
In these attacks, rather than targeting specific companies, hackers take over open source projects and push malware disguised as harmless regular updates. This allows them to compromise dozens of targets with a single hack, spreading the damage across the internet.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
