OpenAI says no user data was touched in the TanStack npm worm

OpenAI says no user data was touched in the TanStack npm worm

Briefly

"OpenAI said on Wednesday that it found no evidence of user data being accessed, products being compromised, or its software being altered after a supply-chain compromise of the TanStack npm packages earlier this week. Two employee devices in OpenAI's corporate environment were affected, the company said in a notice published on its website. Limited credential material was exfiltrated from internal code repositories. Passwords and API keys were not."

"On 11 May, between 19:20 and 19:26 UTC, 84 malicious artefacts were published across 42 packages in the @tanstack namespace, including @tanstack/react-router, which alone pulls more than 12.7 million weekly downloads. They were not uploaded by an attacker who had phished an npm credential. They were uploaded by TanStack's own legitimate release pipeline, using its trusted OIDC identity, after an attacker-controlled fork hijacked the GitHub Actions runner mid-workflow and exfiltrated the OIDC token directly from the runner's process memory."

"TanStack's maintainer Tanner Linsley described it, accurately, as the first documented npm worm in history that ships with a valid signed certificate of authenticity. The campaign has a name. Mini Shai-Hulud, a self-replicating descendant of the worm that first hit the npm registry in September 2025, has now compromised more than 170 packages across npm and PyPI, including releases from Mistral AI, UiPath, OpenSearch, and Guardrails AI."