OpenAI confirmed on May 13, 2026 that an internal investigation found no evidence ChatGPT user data or internal systems were accessed in connection with a supply-chain attack against the TanStack npm package, a widely used open-source JavaScript library. The compromised package versions reportedly contained unauthorized modifications designed to harvest sensitive information from developers and applications pulling in the infected dependency. OpenAI stated its security teams moved quickly to assess exposure and monitor affected environments after reports of the malicious package surfaced. The company indicated its infrastructure and customer data remained secure throughout the incident. The disclosure adds OpenAI to the list of organizations reviewing exposure from the TanStack npm compromise and underscores ongoing risk from third-party open-source dependencies.
- OpenAI Finds No Evidence of User Data Breach in TanStack npm Sup(opens in a new tab)
- OpenAI says hackers stole some data after latest code security i(opens in a new tab)
- OpenAI confirms security breach in TanStack supply chain attack(opens in a new tab)
- OpenAI confirms security breach in TanStack supply chain attack,(opens in a new tab)
- OpenAI Confirms Data Breach by Supply Chain Attack(opens in a new tab)