1 article
OpenAI confirmed that two developer devices were compromised as a result of the TanStack npm supply chain attack disclosed on 12 May, with malicious postinstall hooks executing on machines running npm install within the six-minute poisoning window. OpenAI rotated all affected code-signing certificates and npm tokens and is investigating whether any internal packages published using the compromised credentials were delivered downstream.