NewsNTech
Decompiled: How Mini Shai-Hulud Walked Into OpenAI Through Two Unpatched Laptops The story everyone is reading says: OpenAI got brushed by a supply chain attack, no user data exposed, move along.
The story underneath the wire is more interesting.
Two engineering laptops at one of the most security-conscious companies on the planet were running an outdated install configuration when 84 poisoned versions of TanStack packages shipped to npm.
The package those laptops pulled in, @tanstack/react-router, gets downloaded over 12 million times a week. The blast radius wasn't OpenAI. The blast radius was the registry.
Keep reading