OpenAI Confirms Data Breach by Supply Chain Attack

OpenAI Confirms Data Breach by Supply Chain Attack

OpenAI confirmed data breach where two employee devices were compromised during the massive “Mini Shai-Hulud” supply chain attack. The TeamPCP extortion gang utilized malicious TanStack npm updates to gain unauthorized access to internal repositories and exfiltrate credentials. While customer data and production systems remain secure, OpenAI is rotating all application code-signing certificates as a precaution. This move requires macOS users to update their desktop apps by June 12, 2026, to ensure continued functionality and security updates.

Source: Bleeping Computer

Zara Data Breach Impacts 200K Customers

Roughly 200,000 Zara customers were exposed during an April cyberattack later claimed by the notorious ShinyHunters gang, according to a new report by HaveIBeenPawned. The incident originated at a former third-party technology provider, Anodot, where the extortion group ShinyHunters stole authentication tokens to access Zara’s BigQuery databases. Exposed records include unique email addresses, order IDs, product SKUs, geographic locations, and customer support tickets. While Zara clarified that passwords and financial information were not affected, ShinyHunters has publicly leaked the stolen 140GB dataset.

Source: Cybernews

Grafana GitHub Token Breach

Grafana Labs disclosed that an unauthorized party used a compromised GitHub token to breach its development environment and download portions of its codebase. Following the data theft, the extortion crew “CoinbaseCartel” attempted to blackmail Grafana, demanding payment to prevent a public leak. Following FBI guidance, Grafana refused the ransom. An investigation confirmed that the leaked credentials have been invalidated, and no customer data or production environments were impacted.

Source: The Hacker News

EU’s Cyber Resiliency Act Will Test IT Leaders

The European Union’s Cyber Resilience Act (CRA) shift from process compliance to final product safety will heavily test IT leaders. Applying to any commercially sold digital product with network connectivity, the regulation mandates a “secure by design” approach and five years of free security updates. While the final deadline is December 2027, companies must implement strict incident reporting processes including a 24-hour initial flaw notification window by September 11, 2026, or face hefty multi-million euro fines.

Source: CSO Online

Click here to subscribe our Newsletter