By Reuters | Updated: May 14, 2026
May 14 (Reuters) – OpenAI said on Wednesday it found no evidence that its user data was accessed after a security issue involving a supply-chain attack on TanStack npm, an open-source library.
Here are some details:
- The ChatGPT-maker said it found no evidence that its production systems or intellectual property were compromised, or that their software was altered
- OpenAI said two employee devices in its corporate environment were impacted after TanStack, a widely used open-source library, got compromised earlier this week
- Limited credential material was exfiltrated from these code repositories and no other information or code was impacted, OpenAI said
- The AI firm said that it isolated the impacted systems immediately after the attack and temporarily restricted code-deployment workflows, to contain impact
- OpenAI said it is rotating code-signing certificates, which would require macOS users to update their applications
- OpenAI did not immediately respond to a Reuters request for further details
Reporting by Gnaneshwar Rajan in Bengaluru; Editing by Mrigank Dhaniwala
© Thomson Reuters 2026
