Open Source Package with 1M Downloads Compromised to Steal Credentials
Original: Open source package with 1 million monthly downloads stole user credentials
Why This Matters
Demonstrates supply chain attack risks in open source ecosystems with millions of users
The element-data package with over 1 million monthly downloads was compromised when attackers exploited a GitHub action vulnerability to publish malicious version 0.23.3 that stole user credentials, warehouse keys, and API tokens before being removed after 12 hours.
Unknown attackers exploited a vulnerability in Elementary's GitHub action workflow to gain access to signing keys and publish malicious version 0.23.3 of element-data, a CLI tool for monitoring machine learning systems. The malicious package collected sensitive data including user profiles, warehouse credentials, cloud provider keys, API tokens, and SSH keys from infected systems. The threat actor posted malicious code to a pull request that executed a bash script within the developer's account, retrieving sensitive credentials. The compromised package was published to Python Package Index and Docker accounts before being removed 12 hours later on Saturday. Elementary urges users who installed version 0.23.3 to immediately uninstall it, upgrade to version 0.23.4, rotate all accessible credentials, and check for the marker file /tmp/.trinny-security-update indicating successful payload execution.