Earlier this week, hackers took over several open source projects used by dozens of companies and pushed updates aimed at spreading malware. This is the latest in a recent series of so-called “supply chain” attacks targeting software developers and their projects.
OpenAI acknowledged on Wednesday that two of its employees' devices were “affected by this attack.” However, the company said in a blog post that its investigation found “no evidence that OpenAI user data was accessed, that our production systems or intellectual property was compromised, or that our software was modified.”
OpenAI said its employees' devices were compromised in an earlier attack on TanStack, a popular open source library that helps developers build web apps.
TanStack disclosed the attack on Monday, saying the hackers released 84 malicious versions of its software in six minutes, and published a post-mortem. According to the project, researchers detected the attack within 20 minutes. The malicious version of TanStack contained malware designed to steal credentials from computers where the software was installed and self-replicate and spread to other systems.
Contact Us Do you have more information about this supply chain attack? Or is it another supply chain compromise? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email.
OpenAI said there was unauthorized access and credential theft in a “limited subset of internal source code repositories that were accessed by the two affected employees.”
According to the AI giant, “only limited credentials” were harvested from the affected code repositories. Because the affected repositories contained digital certificates used to sign OpenAI products, the company said it was rotating the certificates “as a precaution,” in which case macOS users would need to update their apps.
“We have found no evidence of compromise or risk to existing software installations,” the company wrote.
It is not clear who is behind the TanStack attack. Some past supply chain hacks have been attributed to a hacker group known as TeamPCP, which itself has been targeted by hackers.
But other groups employed the same tactics on other projects. In March, North Korean hackers hijacked Axios, a popular open source development tool, and delivered malware that could potentially infect millions of developers. And in May, Chinese hackers were accused of a similar attack targeting thousands of Windows computers running the disk imaging software Daemon Tools.
In these attacks, rather than targeting specific companies, hackers take over open source projects and push out malware disguised as benign regular updates. This allows a single hack to potentially compromise dozens of targets, spreading the damage across the Internet.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.