OpenAI, the artificial intelligence (AI) firm behind ChatGPT, confirmed on May 14 that no user data was stolen after a malicious supply chain attack targeting TanStack, an open-source library that the company uses. The company said the issue is part of a broader attack known as “Mini-Shai-Hulud.”
Claim 55% Off TipRanks
- Unlock hedge fund-level data and powerful investing tools for smarter, sharper decisions
- Discover top-performing stock ideas and upgrade to a portfolio of market leaders with Smart Investor Picks
The malware attack hit two employee devices earlier this week, briefly exposing internal systems and app-signing keys across all major platforms. OpenAI acted promptly to contain the issue and is now working to restore security across its applications.
OpenAI Says No User Data Was Breached
OpenAI revealed that once the supply chain attack was noticed, they acted immediately to contain the activity. They said that further review of their systems found that no user data, passwords, or API keys were accessed during the malware attack. The firm also confirmed that its core systems, proprietary data, or software were left untouched.
Further checks on all software signed with its old certificates showed everything remained as expected. The firm also said that no published apps were altered and their installs are fully secure.
OpenAI added that only a small amount of internal login data was taken from a few source code stores, with no other code or data affected. As part of its investigation, the firm also brought in a third-party digital forensics and incident response group to conduct a thorough review of its systems.
OpenAI Moves to Fix Security Gaps
OpenAI said it cut off affected systems right away and paused code-deploy workflows to limit the damage after the attack. It noted that the affected source code repositories held signing keys for its iOS, macOS, and Windows products.
As a precaution, the firm is rotating those keys, a move that will require macOS users to update their apps, with guidance to be provided. Windows and iOS users, however, do not need to take any action. By June 12, 2026, the company will also fully revoke certificates for iOS, MacOS, and Windows.
OpenAI is also working with platform providers to block misuse of the old keys by stopping new sign-offs. The firm added that it will keep building tools to verify safety and check that any software it gets from outside companies is safe and trusted, to help prevent future supply chain attacks. Moreover, they sounded the alarm about rising cyberattacks and threats, while they said they will continue strengthening the defenses on their systems.
What Is a Good AI Stock to Buy?
OpenAI is a private company, so it does not have publicly traded stock. However, investors seeking exposure to AI stocks can consider popular options such as Google (GOOGL), Nvidia (NVDA), and Microsoft (MSFT). These stocks are currently rated as Strong Buys by Wall Street analysts tracked on the TipRanks Stock Comparison Center.
