OpenAI says hackers stole limited credential data from a small subset of internal source code repositories accessed by two employees, after a supply chain attack affected their devices. The company reports no evidence that user data, production systems, intellectual property, or existing software installations were compromised. OpenAI traces the incident to an earlier TanStack open source breach, where attackers published 84 malicious software versions over a six-minute window. OpenAI is rotating signing certificates as a precaution, requiring macOS updates.
A new Shai-Hulud campaign poisoned 172 npm and PyPI packages, including validly SLSA Level 3 provenance. Install or even import can trigger credential harvesting, persistence in Claude Code and VS Code, and CI runner memory scraping. Revoke tokens too soon and a destructive daemon may wipe a home directory. A six-gap CI/CD audit is urged, especially for OIDC scope and AI agent configs.
Your news, in seconds
Get the Beige app — every story in 60 words, updated hourly. Free on iOS & Android.
Swipe through stories, personalise your feed, and save articles for later — all on the app.
