Our response to the TanStack npm supply chain attack
OpenAI recently addressed a security incident involving the TanStack npm open-source library, part of the broader Mini Shai-Hulud attack. While two employee devices were affected, there is no evidence of compromised user data or production systems, and immediate action was taken to secure all systems. As a precautionary measure, macOS users are required to update their OpenAI applications due to rotated security certificates.
OpenAI recently identified and addressed a security incident involving the TanStack npm open-source library, a component of the broader Mini Shai-Hulud supply chain attack. Despite the compromise of two employee devices within the corporate environment, the company found no evidence of unauthorized access to user data, compromised production systems, or altered software.
Upon detecting malicious activity, OpenAI initiated a swift response, including investigation, containment, and engaging a third-party digital forensics firm. The company observed limited credential exfiltration from internal source code repositories accessible to the affected employees. However, there was no indication of customer data impact, intellectual property compromise, or misuse of exfiltrated credentials.
Immediate containment measures included isolating impacted systems, revoking user sessions, rotating credentials, and temporarily restricting code-deployment workflows. As a precautionary step, OpenAI is rotating code-signing certificates across all products. This necessitates that macOS users update their OpenAI applications to the latest versions. Users of Windows and iOS applications are not required to take any action.
This incident highlights a growing trend in cyberattacks targeting shared software dependencies and development tools. OpenAI is committed to bolstering its defenses against such ecosystem-level supply chain attacks by investing in controls that validate the integrity and provenance of third-party components. These measures aim to prevent similar incidents in the future and ensure the security of its interconnected software ecosystem.
Related articles
Build real agentic apps using CUGA: two dozen working examples on a lightweight harness
CUGA, IBM's open-source Agent Harness, simplifies building agentic applications by handling infrastructure, allowing developers to focus on tools and prompts. It offers pre-assembled components for planning, execution, and state management, significantly reducing development time. CUGA has topped agent benchmarks like AppWorld and WebArena.
OpenAI launches new initiative to help find and patch open source bugs
OpenAI has launched "Patch the Planet," a new initiative in partnership with cybersecurity firm Trail of Bits, to enhance the security of open-source projects. This program aims to assist maintainers in identifying and patching bugs, utilizing OpenAI's AI-powered security tools while reducing the burden on project teams.
PP-OCRv6 on Hugging Face: 50-Language OCR from 1.5M to 34.5M Parameters
Baidu has released PP-OCRv6, an advanced optical character recognition (OCR) model supporting 50 languages. Available on Hugging Face, this version significantly improves accuracy and efficiency across various parameter sizes, from 1.5 million to 34.5 million, marking a substantial leap in multilingual OCR technology.