OpenAI reported no user data was accessed in the TanStack npm worm. The attacker took over TanStack's release pipeline mid-build. Two corporate laptops and credential material were affected.