OpenAI Discloses Supply Chain Attack Through TanStack npm Package
What Happened
Lorenzo Franceschi-Bicchierai reports that OpenAI confirmed a supply chain incident traced to a malicious version of a TanStack package. The compromise hit two engineers' machines and exposed limited internal credentials. OpenAI says production systems and customer data were untouched, and the affected credentials have been rotated.
My Take
Every AI lab tells customers their security is enterprise-grade, but the actual attack surface is still a developer running npm install in a coffee shop. The interesting bit is that supply chain attacks now target AI labs specifically because everyone knows that's where the model weights and customer prompts live. If you're a CISO, your AI vendor questionnaire needs a section on package management and developer endpoint hardening — and "we use Claude/ChatGPT for coding" is now part of your threat model.
Read Original Source