OpenAI says hackers stole some data after latest code security issue - BERITAJA

Earlier this week, hackers hijacked respective unfastened root projects utilized by dozens of companies and pushed updates designed to dispersed malware. This is the latest successful a drawstring of caller alleged “supply chain” attacks targeting package developers and their projects.

On Wednesday, OpenAI confirmed that 2 labor had their devices “impacted by this attack.” But, aft an investigation, the institution said in a blog post that it recovered “no grounds that OpenAI personification information was accessed, that our accumulation systems aliases intelligence spot were compromised, aliases that our package was altered.”

OpenAI said that employees’ devices were compromised by an earlier onslaught connected TanStack, a celebrated unfastened root room that helps developers build web apps. 

On Monday, TanStack disclosed the attack and published a post-mortem, saying hackers published 84 malicious versions of its package during a six-minute window. The task said a interrogator detected the onslaught wrong 20 minutes. The malicious TanStack versions included malware that was designed to bargain credentials from computers that the package was installed on, and self-propagate to dispersed to different systems. 

On its part, OpenAI said that it saw unauthorized entree and theft of credentials “in a constricted subset of soul root codification repositories to which the 2 impacted labor had access.”

According to the AI giant, “only constricted credential material” was taken from the affected codification repositories. As a precaution, fixed that the affected repositories contained integer certificates utilized to motion OpenAI’s products, the institution said it’s rotating the certificates “as a precaution,” which will require macOS users to update the app. 

“We person recovered nary grounds of discuss aliases consequence to existing package installations,” the institution wrote.

It's not clear who is down the TanStack attack. Some of the past proviso concatenation hacks person been attributed to a hacking pack known arsenic TeamPCP, a group that was itself a target of hackers. 

But location person been different groups that person employed the aforesaid strategies against different projects. In March, North Korean hackers hijacked Axios, a celebrated unfastened root improvement tool, and pushed malware that could person infected millions of developers. And successful May, Chinese hackers were accused of a akin attack targeting thousands of Windows computers moving disc imaging package Daemon Tools.

In these attacks, alternatively of targeting circumstantial companies, hackers return complete unfastened root projects and push retired malware disguised arsenic innocuous regular updates. This allows them to perchance discuss dozens of targets pinch conscionable 1 hack, spreading the harm crossed the internet.