Tags: supply chain attack

OpenAI said two of its employees were affected by a recent supply‑chain attack that compromised the popular open‑source library TanStack. The breach allowed hackers to insert malicious code into the library, steal limited credential material from internal repositories and briefly expose digital certificates used to sign OpenAI products. The company found no evidence that user data, production systems or intellectual property were compromised and is rotating the certificates, prompting a macOS update. The incident adds to a string of recent attacks on open‑source projects. Weiterlesen

Mercor, an AI recruiting startup that connects domain experts with companies such as OpenAI and Anthropic, disclosed a security incident linked to a supply‑chain attack on the open‑source LiteLLM project. The breach, attributed to the hacking group TeamPCP, affected thousands of organizations and coincided with claims by the extortion group Lapsus$ that it had accessed Mercor's data. Mercor said it moved quickly to contain the incident, engaged leading third‑party forensics experts, and continues to communicate with customers and contractors while investigations proceed. Weiterlesen

Hackers orchestrated what is likely the largest supply‑chain attack ever 2 billion weekly npm downloads, compromising nearly two dozen open‑source packages. The breach began with a phishing email that tricked maintainer "Qix" into revealing his two‑factor authentication credentials. Within an hour, malicious code was added to dozens of packages, enabling the theft of cryptocurrency by monitoring transactions and redirecting payments to attacker‑controlled wallets. Researchers say the targeted selection of foundational JavaScript libraries vastly expands the attack’s reach across the ecosystem. Weiterlesen