OpenAI asks macOS users to update after TanStack npm supply chain attack

OpenAI is taking a range of actions to protect users following a supply chain attack that corrupted the signing keys used to make sure the company’s applications are legitimate. 

Users on macOS have to update their OpenAI applications by June 12, after which they will no longer receive updates or support and the service may not function. The new certificates with the update will help “customers know that software comes from the legitimate developer, OpenAI.”

The actions are being taken in light of an expanding supply chain campaign impacting the popular open-source library TanStack and additional npm and PyPI packages tied to several AI companies. 

OpenAI said in a blog post on Wednesday that two employee devices in its corporate environment were impacted by the attack. The company hired an incident response firm to help investigate and contain the incident. 

“We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access,” OpenAI said. 

“We confirmed that only limited credential material was successfully exfiltrated from these code repositories and that no other information or code was impacted.”

OpenAI said it isolated the impacted systems, revoked user sessions, rotated credentials and “thoroughly scrutinized user and credential behavior.” They have found no evidence of customer data being stolen. 

The source code repositories that were affected by the attack include the company’s iOS, macOS, and Windows products. Users with Windows and iOS apps do not need to take any actions, but macOS users will have to install updates. 

OpenAI said it is also coordinating with other platforms to “prevent any unauthorized use of these certificates by stopping new notarizations.” 

“We have also reviewed all notarization of software using our previous certificates to confirm no unexpected software signing has occurred with these keys, and validated that our published software did not have unauthorized modifications. We have found no evidence of compromise or risk to existing software installations,” the company said. 

According to OpenAI, the actions taken mean that any fake apps posing as OpenAI that are using the affected certificate will be blocked by default by macOS unless a user explicitly bypasses those protections.

TanStack attack

The attack on TanStack set off alarm bells within the cybersecurity and developer community this week after 84 npm package artifacts were compromised on Sunday. The affected packages were changed to add credential stealers targeting developers. 

Several of the packages have over 12 million weekly downloads and are widely used. In TanStack’s post-mortem, they also warned that the malware not only steals credentials from common locations but also self propagates – targeting other packages the victim maintains and republishing them with the same malware.

Government officials in the United Kingdom said the malicious packages were uploaded in two phases on April 29 and May 11.

Avital Harel, security research lead at Upwind, told Recorded Future News that at its core, the attack is similar to downloading what appears to be a legitimate software update or tool from an official source, only to discover hidden code inside designed to steal sensitive information like passwords, login credentials and access tokens.

The downstream impact of the incident is significant if attackers gain access to company systems, software publishing accounts, or cloud environments that potentially affect the applications and services millions of people rely on every day, Harel said. 

Harel noted that one unusual aspect of the campaign is the destructive behavior attached to it. The malware appeared to include destructive actions targeting specific geographic regions, suggesting this was a much more advanced and intentional operation rather than simple opportunistic malware.

TeamPCP selling stolen data

On Wednesday, the alleged hackers behind the incident, known as TeamPCP, offered for sale stolen internal repositories and source code from Mistral AI — another artificial intelligence company that confirmed they were impacted by the TanStack incident. 

A Mistral AI spokesperson told Recorded Future News that a group of hackers “temporarily” compromised one of its codebase management systems on May 12 through a third-party software supply chain attack, contaminating some of the French company’s packages.

“We rapidly neutralized the attack and mitigated the incident. We took the necessary actions to fully secure our infrastructure and support our customers with guidelines. We initiated an extensive forensic investigation in collaboration with competent services and authorities,” the spokesperson said. 

“From this investigation, we have concluded that attackers did not access any data beyond certain non-core code repositories. Neither our hosted services, managed user data, nor any of our research and testing environments were compromised.”

The TeamPCP hackers were previously behind an April attack on the widely used open-source Python package LiteLLM, which allowed the cybercriminals to breach several organizations including AI recruiting company Mercor. 

The group also used a stolen secret Amazon API key to breach the European Commission last month. 

Supply chain attacks have become a popular avenue for hacking groups to compromise large numbers of users and systems because of the now interconnected ecosystem of open-source libraries, package managers, and continuous integration and continuous deployment infrastructure that underpins modern software.

In its blog on Thursday, OpenAI said that after a different supply chain hack in March launched by alleged North Korean hackers, it “accelerated the deployment of specific security controls and technologies to reduce the impact of supply chain attacks such as this one.”