Cyber Incident Victim: OpenAI
Date:
May 2026
Location:
United States of America
Summary
OpenAI reported that hackers compromised two employees' devices via a supply-chain attack on an open-source library, leading to unauthorized access to a limited subset of internal source code repositories containing digital certificates used to sign its products. The company found no evidence that user data, production systems, intellectual property, or software were altered, and it is rotating the affected certificates as a precaution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Earlier this week, hackers hijacked several open source projects used by dozens of companies and pushed updates designed to spread malware, marking the latest in a string of recent supply-chain attacks targeting software developers and their projects. On Wednesday, OpenAI confirmed that two employees had their devices “impacted by this attack.” The company said the employees’ devices were compromised by an earlier attack on TanStack, a popular open source library that helps developers build web apps. On Monday, TanStack disclosed the attack and published a postmortem, stating that hackers published 84 malicious versions of its software during a six‑minute window. A researcher detected the attack within 20 minutes, and the malicious versions included malware designed to steal credentials from computers where the software was installed and to self‑propagate to spread to other systems. OpenAI reported that it saw unauthorized access and theft of credentials in a limited subset of internal source code repositories to which the two impacted employees had access.

As a precaution, because the affected repositories contained digital certificates used to sign OpenAI’s products, the company said it is rotating those certificates, which will require macOS users to update the app. OpenAI wrote that it has found no evidence of compromise or risk to existing software installations and no evidence that user data was accessed, production systems or intellectual property were compromised, or that its software was altered. It is not clear who is behind the TanStack attack, although some past supply‑chain hacks have been attributed to a hacking gang known as TeamPCP. In March, North Korean hackers hijacked Axios, a popular open source development tool, and pushed malware that could have infected millions of developers. In May, Chinese hackers were accused of a similar attack targeting thousands of Windows computers running disc‑imaging software Daemon Tools. The article notes that in these attacks, hackers take over open source projects and push out malware disguised as innocuous regular updates, allowing them to potentially compromise dozens of targets with a single hack and spread damage across the internet.
