TanStack npm Supply Chain Attack Hits Multiple AI Companies

The popular open-source TanStack JavaScript library has been compromised as part of an expanding supply chain campaign. The attack also affects additional npm and PyPI packages linked to multiple AI companies. OpenAI has asked its macOS users to update their software as a precautionary measure in response to the incident.

TanStack is widely used for data tables, routing, and query management in JavaScript applications, giving the compromise broad reach across the developer ecosystem. Organizations using TanStack or the affected AI company packages should audit their dependency trees and rotate any credentials or secrets that may have been exposed through compromised build pipelines.